CVE Catalog

CVE-2026-56318

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

A vulnerability in Capgo before version 12.128.2 discloses information via the /private/validate_password_compliance endpoint, which returns different error responses for malformed, non-existent, and existing organization IDs. Unauthenticated attackers can enumerate valid organization UUIDs by observing response status codes and error messages.

Risk Assessment

The risk is that an unauthenticated attacker can confirm the existence of organizations, which could be leveraged for further targeted attacks against specific organizations.

Recommendation

Immediately upgrade Capgo to version 12.128.2 or later, which includes a fix that eliminates the differentiation of error responses.

Original NVD description (English source)

Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validate_password_compliance endpoint that returns different error responses for malformed, non-existent, and existing organization IDs. Unauthenticated attackers can enumerate valid organization UUIDs by observing response status codes and error messages, allowing confirmation of organization existence.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS