cvedb.io
CVE-2026-56222
HIGH · CVSS 7.2
EPSS exploitation probability: 27%
Published 2026-06-23T13:16:44.097 · Last modified 2026-06-24T16:16:33.333

Summary

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/role_bindings that fails to verify app_id ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by other organizations, enabling unauthorized read and modification of victim applications.

Does this affect you?

Add your gear to cvedb and we'll alert you only when a vendor you run ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.