Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered session fixation requires victim to click a crafted URL (UI:R); attacker needs no privileges; confidentiality and integrity impacts are low with no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs.
AnalysisAI
Session fixation in the Capgo cloud console login endpoint (console.capgo.app/login) allows unauthenticated remote attackers to force victims into attacker-controlled sessions by crafting malicious URLs containing attacker-owned tokens. Versions before 12.128.2 silently accept access_token and refresh_token as URL query parameters and authenticate the user without confirmation, bypassing normal login flows. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must navigate to a Capgo login URL that includes attacker-supplied access_token and refresh_token values as GET query parameters - requiring the victim to click a crafted link delivered via phishing, a compromised website, or social engineering. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.1 (Medium) correctly captures the overall risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker authenticates to their own Capgo account and extracts their valid access_token and refresh_token values, then constructs a URL such as https://console.capgo.app/login?access_token=ATTACKER_TOKEN&refresh_token=ATTACKER_REFRESH. The attacker delivers this link to a target Capgo developer via phishing email or a compromised Slack channel. … |
| Remediation | The primary fix is to upgrade Capgo to version 12.128.2 or later, which removes acceptance of access_token and refresh_token via URL query parameters; the vendor advisory is at https://github.com/Cap-go/capgo/security/advisories/GHSA-83f5-439g-pwmj. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Session Fixation
View allSession fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa
Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session
Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login
Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti
An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe
A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex
Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab
Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera
An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s
Same weakness CWE-384 – Session Fixation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40426
GHSA-5ph3-fx7r-fpq3