CVE-2026-56241 in Capgo
Summary
by MITRE • 07/12/2026
Capgo before 12.128.2 contains a privilege escalation vulnerability where demoted super_admin users retain access to delete_non_compliant_bundles and count_non_compliant_bundles RPCs due to stale org_users.user_right column not being cleared during role binding deletion. Attackers can exploit this by maintaining a previously granted super_admin role to enumerate and bulk delete non-compliant bundles across the entire organization indefinitely.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/12/2026
This vulnerability represents a critical privilege escalation flaw in Capgo versions prior to 12.128.2 that stems from improper role management during user demotion processes. The technical implementation contains a persistent authorization bypass where the org_users.user_right column fails to be properly cleared when a super_admin role is revoked from a user account. This creates a stale state condition where previously elevated privileges remain active even after the user has been downgraded to a standard role. The vulnerability specifically affects two RPC endpoints delete_non_compliant_bundles and count_non_compliant_bundles which are typically restricted to super_admin users only. According to CWE-284, this manifests as an improper access control vulnerability where the system fails to properly enforce authorization boundaries during role transitions. The flaw operates under the principle of least privilege violation by allowing demoted users to retain excessive permissions beyond their current role assignments.
The operational impact of this vulnerability extends far beyond simple unauthorized access as it enables persistent administrative capabilities for compromised accounts. An attacker who gains access to a demoted super_admin account can indefinitely enumerate and bulk delete non-compliant bundles across the entire organization without detection. This creates a significant data integrity risk where malicious actors could systematically remove compliance-related data or disrupt organizational operations. The vulnerability aligns with ATT&CK technique T1078.004 which covers valid accounts used for privilege escalation, and T1531 which involves account access removal. The persistence aspect of this flaw means that even if the initial compromise is detected and remediated, the stale privileges remain active until manual database cleanup occurs.
The root cause lies in the incomplete implementation of role binding deletion logic where the system properly removes role associations but neglects to clear the corresponding user_right column in the org_users table. This creates a scenario where the database state does not match the actual role assignments, leading to authorization bypass conditions. The vulnerability demonstrates poor state management practices and inadequate cleanup procedures during user role transitions. Organizations relying on Capgo for application management face significant operational risks including potential data loss, compliance violations, and service disruption. The issue also reflects broader security concerns related to proper privilege lifecycle management and the importance of maintaining consistent authorization state across all system components. Effective mitigation requires both immediate patching to version 12.128.2 or later and manual database cleanup to ensure stale user_right values are cleared for all demoted accounts.
This vulnerability type represents a common but often overlooked class of authorization flaws in modern applications where role management systems fail to maintain consistency between role assignments and actual permissions. The persistence of stale privileges creates long-term security risks that can remain undetected for extended periods, particularly in environments with frequent user role changes or automated access management processes. Organizations should implement regular security audits of their privilege management systems and establish automated monitoring for anomalous access patterns that could indicate stale authorization conditions. The flaw also highlights the importance of following security best practices such as implementing proper database transaction handling during role transitions and maintaining audit trails of all privilege changes to facilitate forensic analysis and incident response activities.