Description
Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs.
Published: 2026-06-30
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows attackers to auto‑authenticate victims by including valid access and refresh tokens in the URL’s query string during a login request to Capgo’s console. When a user clicks such a link, Capgo accepts the tokens without prompting for credentials, thereby granting the attacker an authenticated session tied to the victim’s account. This can lead to unauthorized access, session hijacking, and potential exposure of sensitive data that the authenticated session can access.

Affected Systems

Capgo’s web console (Capgo:Capgo) is affected in all releases prior to version 12.128.2. Earlier versions accept access_token and refresh_token query parameters during the /login route and automatically authenticate the user without confirmation.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited current exploitation data. The most likely attack vector is remote via a crafted HTTP GET request that includes the tokens in the URL. An attacker can force a victim to visit a malicious link, thereby establishing an attacker‑controlled session and exposing the tokens in browser history and server logs.

Generated by OpenCVE AI on June 30, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Capgo to version 12.128.2 or later, which removes the ability to supply tokens via URL query parameters.
  • Configure the web server or application to reject or strip access_token and refresh_token parameters from incoming requests to deny automatic authentication.
  • Educate users to avoid clicking untrusted URLs and to monitor their accounts for suspicious login activity.

Generated by OpenCVE AI on June 30, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs.
Title Capgo - Login CSRF and Session Fixation via URL Query Parameters
Weaknesses CWE-384
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T22:08:22.873Z

Reserved: 2026-06-19T21:46:58.630Z

Link: CVE-2026-56224

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T23:30:04Z

Weaknesses