CVE Catalog

CVE-2026-56080

MediumCVSS 4.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

21th percentile — higher than 21% of all known CVEs

Summary

Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature. After a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not update the password-compliance state, leading to repeated password-reset prompts.

Risk Assessment

This flaw can result in the Super Admin being locked out of organization access, leading to denial of service. Despite valid authentication, administrators may become permanently locked out.

Recommendation

It is recommended to upgrade to version 12.128.2 or later to resolve this issue. Additionally, monitoring logs and implementing emergency procedures for Super Admins is advisable.

Original NVD description (English source)

Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not update the password-compliance state. As a result, the backend continues to treat the account as non-compliant and repeatedly forces password-reset prompts, permanently locking the Super Admin out of organization access (organization lockout / denial of service) despite valid authentication.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS