Impact
Capgo versions before 12.128.2 expose an improper access control flaw in the public.get_org_members RPC. The endpoint accepts only a public sb_publishable_* key and an organization UUID, allowing anyone to retrieve lists of organization members, including email addresses, user IDs, roles, and pending invitations. The vulnerability enables attackers to gain confidential user information without authentication, potentially compromising privacy and facilitating further social engineering attacks.
Affected Systems
The affected product is Capgo. All releases prior to version 12.128.2 are vulnerable. Updates to 12.128.2 or later contain the fix for this improper access control.
Risk and Exploitability
The CVSS score of 8.7 indicates a high severity. The attack vector is remote, as the vulnerable RPC is publicly reachable. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only a valid sb_publishable_* key and the organization UUID, both of which can be found by enumerating public project resources. Without authentication, an attacker can immediately enumerate sensitive membership information.
OpenCVE Enrichment