Lucene search
+L

23 matches found

EUVD
EUVD
added 2026/07/10 1:57 p.m.10 views

EUVD-2026-42881

Capgo before 12.128.2 contains an information disclosure vulnerability in the getorgsv7userid RPC function that remains publicly invokable despite intended private access controls. Unauthenticated attackers can supply arbitrary user UUIDs to retrieve foreign users' organization membership, roles,...

8.7CVSS6.2AI score0.00313EPSS
Exploits0References2
OSV
OSV
added 2026/07/10 1:57 p.m.3 views

CVE-2026-56279 Capgo - Information Disclosure via get_orgs_v7 RPC Endpoint

Capgo before 12.128.2 contains an information disclosure vulnerability in the getorgsv7userid RPC function that remains publicly invokable despite intended private access controls. Unauthenticated attackers can supply arbitrary user UUIDs to retrieve foreign users' organization membership, roles,...

8.7CVSS6.2AI score0.00313EPSS
Exploits0References4
CVE
CVE
added 2026/07/10 1:57 p.m.8 views

CVE-2026-56279

Capgo before 12.128.2 is affected by an information disclosure vulnerability in the get_orgs_v7(userid) RPC function that remains publicly invokable despite intended private access controls. Unauthenticated attackers can supply arbitrary user UUIDs to retrieve foreign users’ organization membersh...

8.7CVSS6.2AI score0.00313EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/08 1:48 p.m.30 views

CVE-2026-56226 Capgo - Unauthenticated Organization Data Disclosure via get_orgs_v6 RPC

Capgo Cap-go/capgo before 12.128.2 exposes the Supabase PostgREST RPC function public.getorgsv6userid uuid, which is SECURITY DEFINER and granted to the anon role, allowing unauthenticated access. Because the function accepts a caller-supplied user UUID without verifying it matches the...

8.7CVSS0.00255EPSS
Exploits0References2
OSV
OSV
added 2026/06/30 10:8 p.m.4 views

CVE-2026-56219 Capgo - Unauthenticated RBAC Bindings and Email Disclosure via get_org_user_access_rbac NULL-auth Bypass

Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.getorguseraccessrbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. Attackers can exploit improper NULL comparison in the authorization gate to disclose...

8.7CVSS5.8AI score0.00341EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/06/25 5:36 p.m.5 views

keycloak-rhel9: Organization Data Leak After Feature Disabled in Keycloak

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect OIDC token with the 'organization' scope. This allows organization metadata to be disclosed in...

4.3CVSS5.7AI score0.00214EPSS
Exploits0References4
NVD
NVD
added 2026/06/21 2:16 p.m.15 views

CVE-2026-56242

Capgo before 12.128.2 contains an unauthenticated security definer RPC function getidentityapikeyonly that returns the owning userid for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys t...

8.7CVSS0.00259EPSS
Exploits0References2
CVE
CVE
added 2026/06/21 1:26 p.m.25 views

CVE-2026-56242

Technical details beyond the provided description are not publicly available in the supplied documents. Monitor for updates for vulnerability specifics, affected versions, impact, and remediations.

8.7CVSS5.9AI score0.00259EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/21 1:26 p.m.5 views

CVE-2026-56242

Capgo before 12.128.2 contains an unauthenticated security definer RPC function getidentityapikeyonly that returns the owning userid for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys t...

8.7CVSS5.9AI score0.00259EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/21 1:26 p.m.30 views

CVE-2026-56242 Capgo - Unauthenticated API Key Validity Oracle and User Identity Disclosure via get_identity_apikey_only RPC

Capgo before 12.128.2 contains an unauthenticated security definer RPC function getidentityapikeyonly that returns the owning userid for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys t...

8.7CVSS0.00259EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/21 1:26 p.m.10 views

EUVD-2026-38167

Capgo before 12.128.2 contains an unauthenticated security definer RPC function getidentityapikeyonly that returns the owning userid for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys t...

8.7CVSS5.9AI score0.00259EPSS
Exploits0References2
OSV
OSV
added 2026/06/21 1:26 p.m.4 views

CVE-2026-56242 Capgo - Unauthenticated API Key Validity Oracle and User Identity Disclosure via get_identity_apikey_only RPC

Capgo before 12.128.2 contains an unauthenticated security definer RPC function getidentityapikeyonly that returns the owning userid for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys t...

8.7CVSS5.9AI score0.00259EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/21 12:0 a.m.19 views

PT-2026-51221

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An unauthenticated security definer RPC function get identity apikey only returns the owning user id for supplied API keys. This creates an API key validity oracle—a mechanism that allows an attacke...

8.7CVSS5.8AI score0.00259EPSS
Exploits0References7
OSV
OSV
added 2026/05/28 6:31 a.m.5 views

GHSA-4Q93-V92X-P89F Keycloak Vulnerable to Incorrect Authorization

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect OIDC token with the 'organization' scope. This allows organization metadata to be disclosed in...

4.3CVSS5.7AI score0.00214EPSS
Exploits0References15
EUVD
EUVD
added 2026/05/28 3:27 a.m.14 views

EUVD-2026-32701

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect OIDC token with the 'organization' scope. This allows organization metadata to be disclosed in...

4.3CVSS5.7AI score0.00214EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/28 12:0 a.m.20 views

PT-2026-44182

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description An authenticated user with existing organization membership can exploit a flaw by accessing user-facing APIs, such as the account API, or by requesting an OpenID Connect OIDC token with the...

4.3CVSS5.5AI score0.00214EPSS
Exploits0References11
RedhatCVE
RedhatCVE
added 2026/03/26 3:12 p.m.6 views

CVE-2026-3582

An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token PAT lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user...

5.3CVSS5.8AI score0.00248EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/10 9:32 p.m.10 views

EUVD-2026-10828

An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token PAT lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user...

5.3CVSS5.8AI score0.00248EPSS
Exploits0References5
CVE
CVE
added 2026/03/10 6:56 p.m.16 views

CVE-2026-3582

CVE-2026-3582 affects GitHub Enterprise Server. An Incorrect Authorization vulnerability allowed an authenticated user with a classic PAT lacking the repo scope to retrieve issues and commits from private/internal repositories via the search REST API, provided the user already had access to the r...

5.3CVSS5.8AI score0.00248EPSS
Exploits0References4Affected Software1
Hacker One
Hacker One
added 2026/01/23 7:13 p.m.17 views

GitHub: PATs without the required scope can leak issues

An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token PAT lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user...

5.3CVSS5.8AI score0.00248EPSS
Exploits0
Rows per page
Query Builder