Description
Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. An authenticated organization administrator can set an extremely large numeric value (e.g., billions of characters) as the minimum password length, making compliance impossible for all organization members. Once the policy is enabled, users (including administrators) are unable to change their passwords or access the organization, resulting in an organization-wide account lockout and application-level denial of service.
Published: 2026-06-20
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo fails to enforce a maximum value for the minimum password length in its password policy configuration. An authenticated organization administrator can set an astronomically high value, such as billions of characters, making it impossible for any user to meet the policy. Once the policy is enabled, all users, including administrators, are prevented from changing their passwords or accessing the organization, effectively locking the entire organization and causing an application‑level denial of service.

Affected Systems

Capgo is affected for all releases prior to version 12.128.2. The vulnerability resides in the password policy configuration feature available to organization administrators.

Risk and Exploitability

The CVSS score is 6.9, indicating a moderate to high severity. EPSS is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Access requires authenticated privileged privileges; therefore the likely attacker is an insider or a compromised administrator account. If exploited, the impact is a complete lockout of the application for all users, leading to service disruption. The lack of an exploit probability metric suggests that active exploitation is not confirmed, but the potential damage warrants prompt mitigation.

Generated by OpenCVE AI on June 20, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later where the password policy enforces an upper bound on the minimum password length.
  • Limit the ability of organization administrators to modify the password policy or enforce a hard‑coded maximum (e.g., 64 characters) to prevent oversized values.
  • Temporarily disable password policy enforcement or reset the policy to a safe default until a patch is applied, and monitor for lockout events to detect any inadvertent side‑effects.

Generated by OpenCVE AI on June 20, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. An authenticated organization administrator can set an extremely large numeric value (e.g., billions of characters) as the minimum password length, making compliance impossible for all organization members. Once the policy is enabled, users (including administrators) are unable to change their passwords or access the organization, resulting in an organization-wide account lockout and application-level denial of service.
Title Capgo - Denial of Service via Improper Password Policy Length Validation
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T15:24:41.990Z

Reserved: 2026-06-19T21:46:58.631Z

Link: CVE-2026-56228

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T17:30:08Z

Weaknesses
  • CWE-20

    Improper Input Validation