Skip to main content

Capgo CVE-2026-56228

| EUVDEUVD-2026-38116 MEDIUM
Improper Input Validation (CWE-20)
2026-06-20 VulnCheck GHSA-j8w3-fhfr-rrvp
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.9 MEDIUM

Requires authenticated organization administrator access to modify password policy (PR:H, AV:N, AC:L); impact is purely high-severity availability loss with no confidentiality or integrity effects, no scope change.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 22, 2026 - 06:17 vuln.today
Patch available
Jun 20, 2026 - 17:16 EUVD

DescriptionCVE.org

Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. An authenticated organization administrator can set an extremely large numeric value (e.g., billions of characters) as the minimum password length, making compliance impossible for all organization members. Once the policy is enabled, users (including administrators) are unable to change their passwords or access the organization, resulting in an organization-wide account lockout and application-level denial of service.

AnalysisAI

Capgo's password policy configuration in versions before 12.128.2 can be exploited by an authenticated organization administrator to trigger an organization-wide account lockout by setting an arbitrarily large minimum password length - such as billions of characters - with no server-side upper-bound enforcement. Once the malicious policy is enabled, every organization member including other administrators is prevented from setting a compliant password, permanently blocking access to the organization and constituting an application-level denial of service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain or compromise org admin credentials
Delivery
Authenticate to Capgo web interface
Exploit
Navigate to password policy configuration
Install
Set minimum password length to extreme integer value
C2
Enable the password policy
Execute
All org users blocked from password compliance
Impact
Organization-wide account lockout achieved

Vulnerability AssessmentAI

Exploitation Exploitation strictly requires an active authenticated session holding the organization administrator role within the target Capgo organization - this is the definitive prerequisite confirmed by the CVSS 4.0 PR:H metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 (Medium) accurately reflects the elevated privilege requirement (PR:H - organization administrator role) as the principal attack constraint, which substantially narrows the exploitable population compared to an unauthenticated flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained organization administrator credentials - through phishing, credential stuffing, or insider access - logs into the Capgo web interface, navigates to the organization's password policy settings, enters an integer value such as 2,000,000,000 as the minimum password length, and enables the policy. From that moment, all organization members encounter an unresolvable password compliance failure on any password change attempt, locking out the entire organization with no self-service recovery path. …
Remediation The primary remediation is to upgrade Capgo to version 12.128.2 or later, which introduces server-side enforcement of a maximum allowable value for the minimum password length field, closing the improper input validation gap. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Capgo

View all
CVE-2026-56237 CRITICAL
9.3 Jun 24

Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tamperin

CVE-2026-56223 CRITICAL
9.3 Jun 24

Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a mal

CVE-2026-56081 CRITICAL
9.3 Jun 19

Account pre-registration hijack in Capgo before 12.128.2 lets a remote unauthenticated attacker claim an account under a

CVE-2026-56073 CRITICAL
9.3 Jun 19

Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering

CVE-2026-56324 HIGH
8.8 Jun 22

Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpo

CVE-2026-56245 HIGH
8.8 Jun 24

Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing

CVE-2026-56233 HIGH
8.7 Jun 30

Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a pat

CVE-2026-56323 HIGH
8.7 Jun 22

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_se

CVE-2026-56305 HIGH
8.7 Jul 10

Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (

CVE-2026-56300 HIGH
8.7 Jun 30

Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse

CVE-2026-56219 HIGH
8.7 Jun 30

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindin

CVE-2026-56230 HIGH
8.7 Jun 30

Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited

Share

CVE-2026-56228 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy