CVE Catalog

CVE-2026-56228

MediumCVSS 4.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

19th percentile — higher than 19% of all known CVEs

Summary

Capgo before version 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. Organization administrators can set an extremely large value as the minimum password length, making compliance impossible for all organization members.

Risk Assessment

Enabling such a policy leads to user account lockout, including administrators, resulting in organization-wide account lockout and application-level denial of service.

Recommendation

It is recommended to upgrade to version 12.128.2 or later and review the password policy to avoid setting impractical minimum password length values.

Original NVD description (English source)

Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. An authenticated organization administrator can set an extremely large numeric value (e.g., billions of characters) as the minimum password length, making compliance impossible for all organization members. Once the policy is enabled, users (including administrators) are unable to change their passwords or access the organization, resulting in an organization-wide account lockout and application-level denial of service.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS