Home

Description

Capgo before 12.128.2 contains an improper validation vulnerability in the accept_invitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with invalid captcha tokens to create unwanted accounts and burn invite links.

PUBLISHED Reserved 2026-06-20 | Published 2026-07-10 | Updated 2026-07-10 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Problem types

Improper Authentication

Product status

Default status
unaffected

Any version before 12.128.2
affected

12.128.2 (semver)
unaffected

Credits

Judel777 reporter

References

github.com/.../capgo/security/advisories/GHSA-whc5-fvr7-g5v3 (GitHub Security Advisory (GHSA-whc5-fvr7-g5v3)) vendor-advisory

www.vulncheck.com/...alidation-in-accept-invitation-endpoint (VulnCheck Advisory: Capgo - Account Creation Before CAPTCHA Validation in accept_invitation Endpoint) third-party-advisory

cve.org (CVE-2026-56312)

nvd.nist.gov (CVE-2026-56312)

Download JSON