CVE-2026-56331
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
A vulnerability in Capgo before version 12.128.2 stems from improper error handling in the /private/accept_invitation endpoint. Instead of returning safe 4xx errors, the server returns HTTP 500 when magic_invite_string is invalid, allowing attackers to leak internal processing details.
Risk Assessment
An attacker, using only the public key, can submit malformed magic_invite_string values to trigger server errors and potentially expose sensitive information about the application's internal architecture.
Recommendation
Immediately update Capgo to version 12.128.2 or later, which includes a fix for this issue.
Original NVD description (English source)
Capgo before 12.128.2 contains improper error handling in the /private/accept_invitation endpoint that returns HTTP 500 instead of safe 4xx errors when magic_invite_string is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magic_invite_string values to cause server errors and leak internal processing details.

