CVE-2026-56333 in Capgoinfo

Summary

by MITRE • 07/01/2026

Capgo before 12.128.2 contains a server-side validation bypass vulnerability in organization security settings that allows authenticated org admins to persist invalid security policy state. Attackers can bypass backend validation by directly updating the public.orgs table from the browser, circumventing field-level validation checks for max_apikey_expiration_days and other security-sensitive configuration parameters.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/01/2026

This vulnerability represents a critical server-side validation bypass in Capgo's organizational security framework that undermines fundamental access control mechanisms. The flaw exists within the organization security settings where authenticated administrators should be restricted from setting invalid security policy states through proper validation channels. The vulnerability allows malicious actors to directly manipulate database records by updating the public.orgs table through browser interfaces, effectively circumventing all field-level validation checks that normally protect sensitive configuration parameters.

The technical implementation of this vulnerability stems from inadequate input sanitization and validation at the backend layer. When organization administrators attempt to modify security settings such as max_apikey_expiration_days and other critical configuration parameters, the system fails to enforce proper validation controls during direct database manipulation attempts. This bypass occurs because the application relies on client-side validation mechanisms that can be easily circumvented by directly querying the database through browser-based interfaces or API endpoints that do not properly validate input data before persisting it to the backend storage.

The operational impact of this vulnerability is substantial as it grants attackers with authenticated organization admin privileges the ability to establish invalid security policy states that could significantly weaken organizational security postures. By manipulating the max_apikey_expiration_days parameter and similar security-sensitive fields, attackers can potentially extend API key expiration periods beyond acceptable limits, create insecure configurations, or disable critical security controls. This vulnerability directly violates security principles outlined in CWE-20 and CWE-862, which address improper input validation and insufficient authorization checks respectively.

The attack surface for this vulnerability encompasses any authenticated organization administrator who has access to the application's browser interface or API endpoints that allow direct database updates. This represents a privilege escalation vector that can be exploited by both internal malicious actors and external attackers who have gained administrative credentials through other means. The vulnerability aligns with ATT&CK technique T1078.004 which covers valid accounts with elevated privileges, and T1566.002 which involves social engineering through credential harvesting that could lead to such privileged access.

Mitigation strategies should focus on implementing robust server-side validation controls that cannot be bypassed through direct database manipulation attempts. Organizations should enforce strict input validation at multiple layers including API gateways, application logic, and database level constraints that prevent invalid parameter values from being persisted regardless of how data is submitted. Additionally, implementing proper audit logging of all configuration changes to the public.orgs table would enable detection of unauthorized modifications that bypass normal validation procedures. The solution must include database-level constraints, API endpoint validation, and comprehensive monitoring to prevent attackers from exploiting this vulnerability while maintaining legitimate administrative functionality for authorized users.

Responsible

VulnCheck

Reservation

06/20/2026

Disclosure

07/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!