Impact
Capgo before 12.128.2 includes an information disclosure flaw in the public.invite_user_to_org RPC function that lets unauthenticated users learn whether a given organization ID exists. The vulnerability arises from the server returning different error messages—NO_ORG or NO_RIGHTS—depending on the target organization, allowing attackers to distinguish valid IDs through a publishable API key and a SECURITY DEFINER function. This flaw enables tenant enumeration, which can expose internal structure and provide a foothold for further attacks.
Affected Systems
All installations of Capgo released before version 12.128.2 are affected. The flaw resides in the Capgo service that exposes an RPC endpoint for inviting users to organizations. The vulnerability is present in systems that expose the invite_user_to_org method to unauthenticated callers.
Risk and Exploitability
The CVSS score of 6.9 indicates a moderate severity risk. Because the attack can be carried out without an authenticated session—as long as the attacker supplies a publishable API key—the flaw is exploitable over the public network. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that it has not yet been observed in the wild. Nonetheless, the ability to enumerate organization existence is valuable to attackers and should be mitigated promptly.
OpenCVE Enrichment