All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-56247
HIGHpublished 2026-06-30 23:17 UTC · 4 days ago · modified 2026-07-01 15:17 UTC
8.7
CVSS / 10
// description
Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perform unauthorized privileged app actions.
// weaknesses (CWE)
- CWE-266