Description
Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not update the password-compliance state. As a result, the backend continues to treat the account as non-compliant and repeatedly forces password-reset prompts, permanently locking the Super Admin out of organization access (organization lockout / denial of service) despite valid authentication.
Published: 2026-06-19
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo versions prior to 12.128.2 contain a flaw in the Enforce Password Policy feature. When a Super Admin enables the policy and later changes their password to meet the policy, the backend fails to update the password‑compliance state. Consequently the account remains marked as non‑compliant, triggering repeated password‑reset prompts that ultimately lock the Super Admin out of the organization, preventing any further legitimate access to the system while authentication is still technically valid.

Affected Systems

Cap-go Capgo, specifically all releases before 12.128.2. The vulnerability is tied to the product’s authentication and password‑policy enforcement components, affecting only the enterprise levels that use the Super Admin role for policy management.

Risk and Exploitability

The flaw carries a CVSS score of 6.9, indicating moderate severity, with no EPSS score reported and it is not listed in the CISA KEV catalog. Attackers would need the ability to enable the password policy and then successfully change a Super Admin password to a compliant one; the vulnerability is internal and depends on administrative activity. Given the moderate CVSS and lack of public exploitation evidence, the likelihood of widespread exploitation is considered low to moderate, but the impact—permanent exclusion of all privileged users—demands prompt remediation.

Generated by OpenCVE AI on June 19, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Capgo to version 12.128.2 or later to deploy the fix that correctly updates the password‑compliance state.
  • If an immediate upgrade cannot be performed, disable the Enforce Password Policy feature until the patch is applied to prevent repeated password‑reset prompts from locking out privileged accounts.
  • After patching or disabling the feature, verify that Super Admin accounts have compliant passwords and that the backend records their compliance status; review recent login logs for abnormal lockout attempts.

Generated by OpenCVE AI on June 19, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not update the password-compliance state. As a result, the backend continues to treat the account as non-compliant and repeatedly forces password-reset prompts, permanently locking the Super Admin out of organization access (organization lockout / denial of service) despite valid authentication.
Title Cap-go - Authentication Logic Flaw in Enforce Password Policy
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T21:39:20.248Z

Reserved: 2026-06-18T15:57:20.434Z

Link: CVE-2026-56080

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T23:30:05Z

Weaknesses