CVE-2026-56222
HIGH NVDCVSS Score
7.2
Severity
HIGH
Source
NVD
Published
Jun 23, 2026
Description
Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/role_bindings that fails to verify app_id ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by other organizations, enabling unauthorized read and modification of victim applications.