ГлавнаяУязвимости → CVE-2026-56247
8.8высокая

CVE-2026-56247

Описание

Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perform unauthorized privileged app actions.

CVSS
Балл8.8 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Источники
https://github.com/Cap-go/capgo/security/advisories/GHSA-55q2-p3m2-x66xhttps://www.vulncheck.com/advisories/capgo-privilege-escalation-via-cross-scope-rbac-role-assignmenthttps://github.com/Cap-go/capgo/security/advisories/GHSA-55q2-p3m2-x66x