Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Requires authenticated organization administrator access to modify password policy (PR:H, AV:N, AC:L); impact is purely high-severity availability loss with no confidentiality or integrity effects, no scope change.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. An authenticated organization administrator can set an extremely large numeric value (e.g., billions of characters) as the minimum password length, making compliance impossible for all organization members. Once the policy is enabled, users (including administrators) are unable to change their passwords or access the organization, resulting in an organization-wide account lockout and application-level denial of service.
AnalysisAI
Capgo's password policy configuration in versions before 12.128.2 can be exploited by an authenticated organization administrator to trigger an organization-wide account lockout by setting an arbitrarily large minimum password length - such as billions of characters - with no server-side upper-bound enforcement. Once the malicious policy is enabled, every organization member including other administrators is prevented from setting a compliant password, permanently blocking access to the organization and constituting an application-level denial of service. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation strictly requires an active authenticated session holding the organization administrator role within the target Capgo organization - this is the definitive prerequisite confirmed by the CVSS 4.0 PR:H metric. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.9 (Medium) accurately reflects the elevated privilege requirement (PR:H - organization administrator role) as the principal attack constraint, which substantially narrows the exploitable population compared to an unauthenticated flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained organization administrator credentials - through phishing, credential stuffing, or insider access - logs into the Capgo web interface, navigates to the organization's password policy settings, enters an integer value such as 2,000,000,000 as the minimum password length, and enables the policy. From that moment, all organization members encounter an unresolvable password compliance failure on any password change attempt, locking out the entire organization with no self-service recovery path. … |
| Remediation | The primary remediation is to upgrade Capgo to version 12.128.2 or later, which introduces server-side enforcement of a maximum allowable value for the minimum password length field, closing the improper input validation gap. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tamperin
Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a mal
Account pre-registration hijack in Capgo before 12.128.2 lets a remote unauthenticated attacker claim an account under a
Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering
Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpo
Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing
Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a pat
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_se
Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (
Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindin
Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38116
GHSA-j8w3-fhfr-rrvp