Description
Capgo before 12.128.2 contains an improper access control vulnerability in the public.get_org_members RPC function that allows unauthenticated attackers to enumerate organization members. Attackers can invoke the endpoint using only the public sb_publishable_* key and an organization UUID to retrieve sensitive member information including email addresses, user IDs, roles, and pending invitations.
Published: 2026-06-21
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo versions before 12.128.2 expose an improper access control flaw in the public.get_org_members RPC. The endpoint accepts only a public sb_publishable_* key and an organization UUID, allowing anyone to retrieve lists of organization members, including email addresses, user IDs, roles, and pending invitations. The vulnerability enables attackers to gain confidential user information without authentication, potentially compromising privacy and facilitating further social engineering attacks.

Affected Systems

The affected product is Capgo. All releases prior to version 12.128.2 are vulnerable. Updates to 12.128.2 or later contain the fix for this improper access control.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. The attack vector is remote, as the vulnerable RPC is publicly reachable. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only a valid sb_publishable_* key and the organization UUID, both of which can be found by enumerating public project resources. Without authentication, an attacker can immediately enumerate sensitive membership information.

Generated by OpenCVE AI on June 21, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later to apply the official fix for the improper access control bug.
  • Restrict network access to the get_org_members RPC by implementing IP whitelisting or mutual TLS so that only authorized internal services can call it.
  • Rotate and revoke any compromised or unnecessary sb_publishable_* keys, and monitor logs for unexpected calls to the public RPC endpoint.

Generated by OpenCVE AI on June 21, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Cap-go
Cap-go cap-go
Vendors & Products Cap-go
Cap-go cap-go

Tue, 23 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains an improper access control vulnerability in the public.get_org_members RPC function that allows unauthenticated attackers to enumerate organization members. Attackers can invoke the endpoint using only the public sb_publishable_* key and an organization UUID to retrieve sensitive member information including email addresses, user IDs, roles, and pending invitations.
Title Capgo - Unauthenticated Organization Member Email Disclosure via get_org_members RPC
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T02:47:36.388Z

Reserved: 2026-06-19T21:56:09.655Z

Link: CVE-2026-56253

cve-icon Vulnrichment

Updated: 2026-06-23T02:47:30.804Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:08:28Z

Weaknesses