CVE-2026-56247
Published: 30 June 2026
Summary
CVE-2026-56247 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, ranked at the 22.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-40429
Vulnerability details
Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perform unauthorized…
more
privileged app actions.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Designation of a manager and policy dissemination ensures privileges are assigned according to defined roles.
Regular reviews catch incorrect privilege assignments to users, roles, or processes.
Explicitly specifying privileges and group/role memberships for accounts reduces the risk of incorrect privilege assignments.
The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.
Ensures privileges are assigned only as necessary rather than incorrectly over-granted.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (1 rule)
- V-248551 A sticky bit must be set on all OL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. via CWE-266
Oracle Linux 9 (1 rule)
- V-271779 OL 9 must be configured so that a sticky bit must be set on all public directories. via CWE-266
RHEL 8 (1 rule)
- V-230243 A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. via CWE-266
RHEL 9 (1 rule)
- V-257929 A sticky bit must be set on all RHEL 9 public directories. via CWE-266
Ubuntu 22.04 (2 rules)
- V-260559 Ubuntu 22.04 LTS must ensure only users who need access to security functions are part of sudo group. via CWE-266
- V-260513 Ubuntu 22.04 LTS must set a sticky bit on all public directories to prevent unauthorized and unintended information transferred via shared system resources. via CWE-266
Ubuntu 24.04 (2 rules)
- V-270748 Ubuntu 24.04 LTS must ensure only users who need access to security functions are part of sudo group. via CWE-266
- V-270750 Ubuntu 24.04 LTS must set a sticky bit on all public directories to prevent unauthorized and unintended information transferred via shared system resources. via CWE-266