Description
Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable API key to determine if an organization ID exists based on NO_ORG versus NO_RIGHTS responses, enabling tenant enumeration attacks.
Published: 2026-06-30
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo before 12.128.2 includes an information disclosure flaw in the public.invite_user_to_org RPC function that lets unauthenticated users learn whether a given organization ID exists. The vulnerability arises from the server returning different error messages—NO_ORG or NO_RIGHTS—depending on the target organization, allowing attackers to distinguish valid IDs through a publishable API key and a SECURITY DEFINER function. This flaw enables tenant enumeration, which can expose internal structure and provide a foothold for further attacks.

Affected Systems

All installations of Capgo released before version 12.128.2 are affected. The flaw resides in the Capgo service that exposes an RPC endpoint for inviting users to organizations. The vulnerability is present in systems that expose the invite_user_to_org method to unauthenticated callers.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity risk. Because the attack can be carried out without an authenticated session—as long as the attacker supplies a publishable API key—the flaw is exploitable over the public network. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that it has not yet been observed in the wild. Nonetheless, the ability to enumerate organization existence is valuable to attackers and should be mitigated promptly.

Generated by OpenCVE AI on June 30, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later to eliminate the oracle.
  • Restrict or remove unauthenticated access to the public.invite_user_to_org RPC endpoint, ensuring only authorized callers can invoke it.
  • Monitor network traffic for repeated attempts to call invite_user_to_org with varied organization IDs to detect enumeration attempts.

Generated by OpenCVE AI on June 30, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable API key to determine if an organization ID exists based on NO_ORG versus NO_RIGHTS responses, enabling tenant enumeration attacks.
Title Capgo - Unauthenticated Organization Existence Oracle via public.invite_user_to_org RPC
Weaknesses CWE-203
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T22:08:31.337Z

Reserved: 2026-06-20T13:06:29.994Z

Link: CVE-2026-56327

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T23:30:04Z

Weaknesses