CVE Catalog

CVE-2026-56327

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

A vulnerability in Capgo before version 12.128.2 allows unauthenticated attackers to enumerate existing organizations via the public.invite_user_to_org RPC function. Attackers can use an API key to call the SECURITY DEFINER function and determine whether an organization ID exists based on distinct error responses (NO_ORG vs NO_RIGHTS).

Risk Assessment

The risk is the ability to perform tenant enumeration attacks, which may reveal the organizational structure of the system and facilitate further targeted attacks against specific organizations.

Recommendation

Immediately upgrade Capgo to version 12.128.2 or later, which includes a fix that eliminates the difference in error responses for existing and non-existing organizations.

Original NVD description (English source)

Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable API key to determine if an organization ID exists based on NO_ORG versus NO_RIGHTS responses, enabling tenant enumeration attacks.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS