CVE-2026-56228
MediumCVSS 4.9Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
Capgo before version 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. Organization administrators can set an extremely large value as the minimum password length, making compliance impossible for all organization members.
Risk Assessment
Enabling such a policy leads to user account lockout, including administrators, resulting in organization-wide account lockout and application-level denial of service.
Recommendation
It is recommended to upgrade to version 12.128.2 or later and review the password policy to avoid setting impractical minimum password length values.
Original NVD description (English source)
Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. An authenticated organization administrator can set an extremely large numeric value (e.g., billions of characters) as the minimum password length, making compliance impossible for all organization members. Once the policy is enabled, users (including administrators) are unable to change their passwords or access the organization, resulting in an organization-wide account lockout and application-level denial of service.

