33 matches found
EUVD-2026-40429
Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perfor...
CVE-2026-56247
Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perfor...
CVE-2026-56333
Capgo before 12.128.2 is affected by a server-side validation bypass in organization security settings. The vulnerability lets authenticated org admins bypass backend validation by directly updating the public.orgs table from the browser, bypassing field-level checks such as max_apikey_expiration...
CVE-2026-56247
Capgo prior to version 12.128.2 contains a privilege-escalation flaw where org admins can assign org-scoped RBAC roles at the app scope without validating role-scope compatibility, including assignments to pending invitees . Attackers can pre-seed malformed high-privilege bindings that survive in...
PT-2026-54037
Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description Authenticated organization administrators can bypass server-side validation within organization security settings to persist an invalid security policy state. This is achieved by directly updating t...
GHSA-Q537-QHJ4-WCJX OpenCTI: Privilege escalation via graphQL API is abusable by organization admins, due to incorrect ACL on userEdit relationAdd
Summary An organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. Impact Full platform access, access to sensitive or proprietary information...
CVE-2026-44730
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.7, an organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. This is due to incorrect ACL o...
CVE-2026-44730 OpenCTI: Privilege escalation via graphQL API abusable by organization admins, due to incorrect ACL on userEdit relationAdd
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.7, an organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. This is due to incorrect ACL o...
CVE-2026-44730
OpenCTI (open-source platform for threat intel) has a privilege-escalation vulnerability affecting the GraphQL API prior to version 6.9.7. An organization admin can elevate privileges by adding a user from a different organization with higher privileges to their own organization due to an incorre...
CVE-2026-43510 CISA manage.get.gov insecure portfolio administrative privileges
manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30...
CVE-2026-5373
An issue that allowed all-organization administrators to promote accounts to superuser status has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N 8.1 High. This issue was fixed in version...
GHSA-5M9M-J5P7-M7F9 Casdoor is vulnerable to Improper Authorization
An issue in the permission verification module and organization/application editing interface in Casdoor before 2.63.0 allows remote authenticated administrators of any organization within the system to bypass the system's permission verification mechanism by directly concatenating URLs after log...
BIT-GRAFANA-2024-10452
Organization admins can delete pending invites created in an organization they are not part of...
SUSE CVE-2024-10452
Organization admins can delete pending invites created in an organization they are not part of...
GHSA-66C4-2G2V-54QW Grafana org admin can delete pending invites in different org
Organization admins can delete pending invites created in an organization they are not part of...
CVE-2024-10452
Organization admins can delete pending invites created in an organization they are not part of...
UBUNTU-CVE-2024-10452
Organization admins can delete pending invites created in an organization they are not part of...
CVE-2024-10452
Organization admins can delete pending invites created in an organization they are not part of...
CVE-2024-10452
Organization admins can delete pending invites created in an organization they are not part of...
CVE-2024-10452
CVE-2024-10452 affects Grafana (open‑source platform). The issue allows Organization administrators to delete pending invites in an organization they are not part of, representing an Authorization Bypass/Improper Access protection described in the connected advisories. Exploitation details are no...