Impact
Capgo versions prior to 12.128.2 contain a broken row‑level security policy on the org_users table. The policy fails to restrict users with admin privileges from accessing records belonging to super_admin accounts. As a result, an attacker who has already authenticated as an admin can elevate their access level to super_admin, granting full system control and the ability to modify or delete critical data. The weakness is a classic privilege escalation scenario rooted in inadequate access controls (CWE‑266).
Affected Systems
The vulnerability affects the Capgo application (Capgo:Capgo). No specific affected versions are listed beyond the claim that all releases before 12.128.2 are vulnerable, so any deployment running a pre‑12.128.2 version is at risk.
Risk and Exploitability
The CVSS score of 7 indicates a moderate severity. No EPSS value is published and the issue is not listed in CISA’s KEV catalog, suggesting limited known exploitation. The attack requires the attacker to be an authenticated admin user; once authenticated, the attacker can exploit the insufficient RLS enforcement to gain super_admin rights. The nature of the flaw allows exploitation without elevated network privileges or additional exploits.
OpenCVE Enrichment