CVE Catalog

CVE-2026-56331

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

A vulnerability in Capgo before version 12.128.2 stems from improper error handling in the /private/accept_invitation endpoint. Instead of returning safe 4xx errors, the server returns HTTP 500 when magic_invite_string is invalid, allowing attackers to leak internal processing details.

Risk Assessment

An attacker, using only the public key, can submit malformed magic_invite_string values to trigger server errors and potentially expose sensitive information about the application's internal architecture.

Recommendation

Immediately update Capgo to version 12.128.2 or later, which includes a fix for this issue.

Original NVD description (English source)

Capgo before 12.128.2 contains improper error handling in the /private/accept_invitation endpoint that returns HTTP 500 instead of safe 4xx errors when magic_invite_string is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magic_invite_string values to cause server errors and leak internal processing details.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS