ГлавнаяУязвимости → CVE-2026-56241
8.3высокая

CVE-2026-56241

Описание

Capgo before 12.128.2 contains a privilege escalation vulnerability where demoted super_admin users retain access to delete_non_compliant_bundles and count_non_compliant_bundles RPCs due to stale org_users.user_right column not being cleared during role binding deletion. Attackers can exploit this by maintaining a previously granted super_admin role to enumerate and bulk delete non-compliant bundles across the entire organization indefinitely.

CVSS
Балл8.3 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Источники
https://github.com/Cap-go/capgo/security/advisories/GHSA-rvvc-rvxv-qcrhhttps://www.vulncheck.com/advisories/capgo-rbac-demotion-privilege-retention-via-stale-org-users-user-right