Description
Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.get_org_user_access_rbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. Attackers can exploit improper NULL comparison in the authorization gate to disclose organization membership, roles, and email addresses via the PostgREST RPC endpoint using only a public API key.
Published: 2026-06-30
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo before version 12.128.2 contains a NULL‑auth bypass vulnerability in the public.get_org_user_access_rbac function that permits unauthenticated attackers to retrieve RBAC role bindings and member email addresses. The flaw arises from an improper NULL comparison in the authorization gate, allowing attackers to read sensitive membership and role information through the PostgREST RPC endpoint. This weakness is classified as CWE‑287, a broken authentication and authorization scenario leading to information disclosure.

Affected Systems

All Capgo deployments running a version earlier than 12.128.2 are affected. No other vendors or products are listed. Anyone using the Capgo platform with a default or public API key configuration may be vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity impact. While the EPSS score is not available, the vulnerability can be exploited remotely with only a public API key, representing a low barrier to entry for attackers. The vulnerability is not listed in the CISA KEV catalog, but its ease of exploitation and the sensitivity of disclosed data make it a high‑risk issue. The likelihood of exploitation is significant for any publicly exposed Capgo instance that does not enforce stricter authentication for the RPC endpoint.

Generated by OpenCVE AI on June 30, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Capgo instance to version 12.128.2 or later to apply the vendor fix.
  • If an upgrade is not immediately possible, disable or restrict public API key usage for RPC endpoints and enforce authenticated access before calling the get_org_user_access_rbac function.
  • Apply network segmentation or firewall rules to limit external access to the PostgREST RPC endpoint, ensuring only trusted networks can query RBAC information.

Generated by OpenCVE AI on June 30, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.get_org_user_access_rbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. Attackers can exploit improper NULL comparison in the authorization gate to disclose organization membership, roles, and email addresses via the PostgREST RPC endpoint using only a public API key.
Title Capgo - Unauthenticated RBAC Bindings and Email Disclosure via get_org_user_access_rbac NULL-auth Bypass
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T22:08:22.177Z

Reserved: 2026-06-19T21:43:24.737Z

Link: CVE-2026-56219

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T23:30:04Z

Weaknesses