CVE-2026-56080
MediumCVSS 4.9Exploitation Probability (EPSS)
Low risk21th percentile — higher than 21% of all known CVEs
Summary
Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature. After a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not update the password-compliance state, leading to repeated password-reset prompts.
Risk Assessment
This flaw can result in the Super Admin being locked out of organization access, leading to denial of service. Despite valid authentication, administrators may become permanently locked out.
Recommendation
It is recommended to upgrade to version 12.128.2 or later to resolve this issue. Additionally, monitoring logs and implementing emergency procedures for Super Admins is advisable.
Original NVD description (English source)
Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not update the password-compliance state. As a result, the backend continues to treat the account as non-compliant and repeatedly forces password-reset prompts, permanently locking the Super Admin out of organization access (organization lockout / denial of service) despite valid authentication.

