CVE-2026-56312
MEDIUM
6.5
CVSS 3.1
Description
Capgo before 12.128.2 contains an improper validation vulnerability in the accept_invitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with invalid captcha tokens to create unwanted accounts and burn invite links.
Metadata
Severity & Metrics
6.5
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
SSVC — CISA Coordinator
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Capgo | Capgo | — | 0 < 12.128.2, 12.128.2 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-287 | cna | Improper Authentication |
CVSS scores (2)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 6.9 | MEDIUM | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N |
| 6.5 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
References (2)
- GitHub Security Advisory (GHSA-whc5-fvr7-g5v3) https://github.com/Cap-go/capgo/security/advisories/GHSA-whc5-fvr7-g5v3
- VulnCheck Advisory: Capgo - Account Creation Before CAPTCHA Validation in accept_invitation Endpoint https://www.vulncheck.com/advisories/capgo-account-creation-before-captcha-validation-in-accept-invitation-endpoint