Home

Description

Capgo before 12.128.2 contains an information disclosure vulnerability in the get_orgs_v7(userid) RPC function that remains publicly invokable despite intended private access controls. Unauthenticated attackers can supply arbitrary user UUIDs to retrieve foreign users' organization membership, roles, management emails, and billing metadata.

PUBLISHED Reserved 2026-06-20 | Published 2026-07-10 | Updated 2026-07-10 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Missing Authorization

Product status

Default status
unaffected

Any version before 12.128.2
affected

12.128.2 (semver)
unaffected

Credits

Judel777 reporter

References

github.com/.../capgo/security/advisories/GHSA-fch8-pp28-mw2x exploit

github.com/.../capgo/security/advisories/GHSA-fch8-pp28-mw2x (GitHub Security Advisory (GHSA-fch8-pp28-mw2x)) vendor-advisory

www.vulncheck.com/...disclosure-via-get-orgs-v7-rpc-endpoint (VulnCheck Advisory: Capgo - Information Disclosure via get_orgs_v7 RPC Endpoint) third-party-advisory

cve.org (CVE-2026-56279)

nvd.nist.gov (CVE-2026-56279)

Download JSON