Home

Description

Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change endpoint that allows attackers to change user passwords without requiring current password confirmation. Attackers with temporary session access can exploit this flaw to permanently lock out legitimate users and achieve full account takeover.

PUBLISHED Reserved 2026-06-20 | Published 2026-07-10 | Updated 2026-07-14 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
HIGH: 8.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Problem types

Unverified Password Change

Product status

Default status
unaffected

Any version before 12.128.2
affected

12.128.2 (semver)
unaffected

References

github.com/.../capgo/security/advisories/GHSA-rjr5-qxqj-cx8g exploit

github.com/.../capgo/security/advisories/GHSA-rjr5-qxqj-cx8g (GitHub Security Advisory (GHSA-rjr5-qxqj-cx8g)) vendor-advisory

www.vulncheck.com/...via-missing-current-password-validation (VulnCheck Advisory: Capgo - Authentication Bypass in Password Change via Missing Current Password Validation) third-party-advisory

cve.org (CVE-2026-56305)

nvd.nist.gov (CVE-2026-56305)

Download JSON