Description
Cap-go before 12.128.2 contains an authorization bypass vulnerability in the GET /organization/members endpoint that allows org-limited API keys to bypass limited_to_orgs restrictions. Attackers with org-limited API keys can read membership data including uid, email, image_url, role, and is_tmp from organizations outside their assigned scope.
Published: 2026-06-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cap-go before version 12.128.2 has a vulnerability in the GET /organization/members endpoint that allows an attacker who possesses an organization-limited API key to bypass the intended scope restrictions. The flaw lets the attacker retrieve detailed membership information—such as user identifiers, email addresses, profile image URLs, roles, and temporary status—of organizations outside the key’s assigned scope, thereby compromising confidential data about users in other organizations. This weakness falls under CWE-285 (Authorization Bypass via Privilege Escalation).

Affected Systems

Vulnerable instances of Cap-go running any version earlier than 12.128.2 are affected. The product is identified as Cap-go:capgo in the CNA data. Attackers can exploit the flaw through the web API exposed by Cap-go deployments that provide organization-limited API keys.

Risk and Exploitability

The CVSS score of 5.3 classifies the issue as moderate severity, and the vulnerability is not listed in the CISA KEV catalog. Because the exploitation requires an existing organization-limited API key, the primary risk is to organizations that issue such keys without robust controls. Though no EPSS score is available, the presence of a focused API endpoint suggests that an attacker could leverage the flaw if they acquire or guess a valid key. No remote code execution or privilege escalation on the host is reported, but the data leakage could lead to social engineering or account compromise for affected users.

Generated by OpenCVE AI on June 24, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cap-go to version 12.128.2 or later
  • Regenerate or rotate all organization-limited API keys, especially those that might have been exposed or shared
  • Enforce least privilege for API keys by restricting them to only the intended organization scope
  • Monitor API logs for unauthorized access to the /organization/members endpoint

Generated by OpenCVE AI on June 24, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Cap-go
Cap-go cap-go
Vendors & Products Cap-go
Cap-go cap-go

Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description Cap-go before 12.128.2 contains an authorization bypass vulnerability in the GET /organization/members endpoint that allows org-limited API keys to bypass limited_to_orgs restrictions. Attackers with org-limited API keys can read membership data including uid, email, image_url, role, and is_tmp from organizations outside their assigned scope.
Title Cap-go - Authorization Bypass in Organization Members Endpoint via API Key Scope Bypass
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cap-go Cap-go
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-25T13:21:05.162Z

Reserved: 2026-06-20T12:53:19.893Z

Link: CVE-2026-56310

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:45:06Z

Weaknesses