All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-56327
MEDIUMpublished 2026-06-30 23:17 UTC · 4 days ago · modified 2026-07-01 14:16 UTC
6.9
CVSS / 10
// description
Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable API key to determine if an organization ID exists based on NO_ORG versus NO_RIGHTS responses, enabling tenant enumeration attacks.
// weaknesses (CWE)
- CWE-203