CVE-2026-56310 describes an authorization bypass vulnerability in Cap-go prior to version 12.128.2. The vulnerability exists in the GET /organization/members API endpoint, where org-limited API keys can circumvent the limited_to_orgs restriction. This allows an attacker possessing such an API key to access membership information from organizations beyond their authorized scope, exposing sensitive user data including uid, email, image_url, role, and is_tmp. The vulnerability is rated medium severity with a CVSS 4.0 score of 5.3. No vendor advisory or patch information is currently available, and the product is not a cloud service, so remediation depends on vendor updates.

Attackers with org-limited API keys can bypass intended authorization controls to read membership data from unauthorized organizations. This exposure includes personally identifiable information such as user IDs and emails, as well as role and temporary status data. The impact is unauthorized disclosure of sensitive organizational membership information, potentially leading to privacy violations or further targeted attacks. There is no indication of privilege escalation or code execution. No known exploits have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or workaround is currently documented, organizations should monitor for vendor updates and consider restricting API key distribution and permissions as a temporary measure. Avoid using org-limited API keys in untrusted environments until a fix is available.