Impact
The vulnerability allows attackers to auto‑authenticate victims by including valid access and refresh tokens in the URL’s query string during a login request to Capgo’s console. When a user clicks such a link, Capgo accepts the tokens without prompting for credentials, thereby granting the attacker an authenticated session tied to the victim’s account. This can lead to unauthorized access, session hijacking, and potential exposure of sensitive data that the authenticated session can access.
Affected Systems
Capgo’s web console (Capgo:Capgo) is affected in all releases prior to version 12.128.2. Earlier versions accept access_token and refresh_token query parameters during the /login route and automatically authenticate the user without confirmation.
Risk and Exploitability
The CVSS score of 5.1 indicates a moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited current exploitation data. The most likely attack vector is remote via a crafted HTTP GET request that includes the tokens in the URL. An attacker can force a victim to visit a malicious link, thereby establishing an attacker‑controlled session and exposing the tokens in browser history and server logs.
OpenCVE Enrichment