CVE-2026-56253
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk16th percentile - higher than 16% of all known CVEs
Summary
Capgo versions before 12.128.2 contain an improper access control vulnerability in the public.get_org_members RPC function that allows unauthenticated attackers to enumerate organization members. Attackers can invoke the endpoint using only the public sb_publishable_* key and an organization UUID to retrieve sensitive member information including email addresses, user IDs, roles, and pending invitations.
Risk Assessment
This vulnerability poses a risk of exposing sensitive member data, which could lead to further attacks or privacy breaches. Organizations may face loss of trust and potential legal consequences.
Recommendation
It is recommended to update Capgo to version 12.128.2 or later to mitigate this vulnerability. Additionally, conducting an API access audit is advisable to minimize the risk of unauthorized access.
Original NVD description (English source)
Capgo before 12.128.2 contains an improper access control vulnerability in the public.get_org_members RPC function that allows unauthenticated attackers to enumerate organization members. Attackers can invoke the endpoint using only the public sb_publishable_* key and an organization UUID to retrieve sensitive member information including email addresses, user IDs, roles, and pending invitations.

