CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-56246

highCVSS 8.1covered by 1 sourcefirst seen 2026-07-08
Capgo before 12.128.2 contains a broken access control vulnerability in the organization management API where a scoped API key (limited_to_orgs) inherits its owner-user's permissions, allowing destructive cross-organization actions. When a user is an admin in two organizations and creates a write-mode API key restricted to one organization, that key can still perform destructive operations (e.g., DELETE /organization, DELETE /organization/members) against another organization. The root cause is route-level authorization (rbac_check_permission_direct) that evaluates the key owner's user privileges before enforcing the API key's limited_to_orgs scope.

⚡ Watch CVE-2026-56246

Get an email if CVE-2026-56246 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-56246

CVE.org record

Embed the live status

CVE-2026-56246 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-56246 status](https://www.csirts.com/badge/CVE-2026-56246)](https://www.csirts.com/cve/CVE-2026-56246)