CVE Catalog

CVE-2026-56310

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

Cap-go before version 12.128.2 contains an authorization bypass vulnerability in the GET /organization/members endpoint that allows org-limited API keys to bypass limited_to_orgs restrictions. Attackers with such keys can access membership data from organizations outside their assigned scope.

Risk Assessment

This vulnerability may lead to unauthorized access to sensitive membership data, posing a serious threat to data privacy and security.

Recommendation

It is recommended to upgrade to version 12.128.2 or later to mitigate this vulnerability and review the API key management policy to restrict access to organization data.

Original NVD description (English source)

Cap-go before 12.128.2 contains an authorization bypass vulnerability in the GET /organization/members endpoint that allows org-limited API keys to bypass limited_to_orgs restrictions. Attackers with org-limited API keys can read membership data including uid, email, image_url, role, and is_tmp from organizations outside their assigned scope.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS