Back to overview

CVE-2026-56312

MEDIUM
6.5
CVSS 3.1
Description
Capgo before 12.128.2 contains an improper validation vulnerability in the accept_invitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with invalid captcha tokens to create unwanted accounts and burn invite links.

Metadata

CVE ID
CVE-2026-56312
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-20 12:53 UTC
Published
2026-07-10 13:57 UTC
Last updated
2026-07-10 17:01 UTC
Primary CWE
CWE-287
Improper Authentication
Vendor / Product
Capgo / Capgo
Sources
cve.org  ·  NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
Capgo Capgo 0 < 12.128.2, 12.128.2
Weakness (CWE)
CWESourceDescription
CWE-287 cna Improper Authentication
CVSS scores (2)
ScoreSeverityVersionSourceVector
6.9 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
6.5 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
References (2)
Back to overview