2 matches found
EUVD-2026-42249
Capgo before 12.128.2 contains a broken access control vulnerability in the organization management API where a scoped API key limitedtoorgs inherits its owner-user's permissions, allowing destructive cross-organization actions. When a user is an admin in two organizations and creates a write-mod...
CVE-2026-56246
Capgo prior to 12.128.2 contains a broken access control in the organization management API. A scoped API key (limited_to_orgs) inherits its owner-user’s permissions, enabling cross‑organization destructive actions (e.g., DELETE /organization, DELETE /organization/members) when an admin belongs t...