Skip to main content

Capgo CVE-2026-56224

| EUVDEUVD-2026-40426 MEDIUM
Session Fixation (CWE-384)
2026-06-30 VulnCheck GHSA-5ph3-fx7r-fpq3
5.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-delivered session fixation requires victim to click a crafted URL (UI:R); attacker needs no privileges; confidentiality and integrity impacts are low with no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 02:16 EUVD
Analysis Generated
Jun 30, 2026 - 23:39 vuln.today

DescriptionCVE.org

Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs.

AnalysisAI

Session fixation in the Capgo cloud console login endpoint (console.capgo.app/login) allows unauthenticated remote attackers to force victims into attacker-controlled sessions by crafting malicious URLs containing attacker-owned tokens. Versions before 12.128.2 silently accept access_token and refresh_token as URL query parameters and authenticate the user without confirmation, bypassing normal login flows. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker obtains own valid Capgo access and refresh tokens
Delivery
Craft login URL embedding attacker tokens as query parameters
Exploit
Deliver phishing link to target Capgo developer
Execution
Victim clicks link, console silently authenticates into attacker session
Impact
Attacker reuses token pair to monitor or act on victim session

Vulnerability AssessmentAI

Exploitation The victim must navigate to a Capgo login URL that includes attacker-supplied access_token and refresh_token values as GET query parameters - requiring the victim to click a crafted link delivered via phishing, a compromised website, or social engineering. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.1 (Medium) correctly captures the overall risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker authenticates to their own Capgo account and extracts their valid access_token and refresh_token values, then constructs a URL such as https://console.capgo.app/login?access_token=ATTACKER_TOKEN&refresh_token=ATTACKER_REFRESH. The attacker delivers this link to a target Capgo developer via phishing email or a compromised Slack channel. …
Remediation The primary fix is to upgrade Capgo to version 12.128.2 or later, which removes acceptance of access_token and refresh_token via URL query parameters; the vendor advisory is at https://github.com/Cap-go/capgo/security/advisories/GHSA-83f5-439g-pwmj. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-12965 CRITICAL POC
9.8 Aug 23

Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa

CVE-2025-28242 CRITICAL POC
9.8 Apr 18

Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session

CVE-2022-40916 CRITICAL POC
9.8 Feb 06

Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2025-45949 CRITICAL POC
9.8 Apr 28

A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login

CVE-2023-48929 CRITICAL POC
9.8 Dec 08

Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti

CVE-2023-41012 CRITICAL POC
9.8 Sep 05

An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe

CVE-2023-31498 CRITICAL POC
9.8 May 11

A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex

CVE-2022-3269 CRITICAL POC
9.8 Sep 23

Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab

CVE-2021-39290 CRITICAL POC
9.8 Aug 23

Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera

CVE-2020-11729 CRITICAL POC
9.8 Apr 15

An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v

CVE-2019-18418 CRITICAL POC
9.8 Oct 24

clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be

CVE-2018-18925 CRITICAL POC
9.8 Nov 04

Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s

Share

CVE-2026-56224 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy