Description
Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validate_password_compliance endpoint that is callable using only the public Supabase key without authentication. The endpoint is CORS-permissive with wildcard origin allowance and lacks rate limiting, enabling attackers to perform password spraying and credential stuffing attacks to compromise user accounts.
Published: 2026-06-23
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A credential validation endpoint in Capgo can be invoked by using only the public Supabase key, with no authentication required. The endpoint is CORS‑permissive, allowing any origin to call it, and it lacks rate limiting. An attacker can repeatedly submit guessed passwords for known usernames, effectively performing password spraying or credential stuffing to compromise user accounts. The weakness belongs to CWE‑307, describing insecure authentication due to improper safeguards against credential enumeration.

Affected Systems

Capgo software, versions earlier than 12.128.2, is affected. Administrators using these releases should verify the firmware or application version and plan an upgrade.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. Because the public key is normally publicly accessible and the endpoint is reachable from any origin, the likelihood of exploitation is high. No rate limiting means an attacker can submit thousands of credential attempts in a short period, increasing the probability of successful account takeover. The vulnerability is not listed in the CISA KEV catalog and no EPSS data is available, but the described attack vector strongly suggests that this flaw can be abused in the wild.

Generated by OpenCVE AI on June 23, 2026 at 13:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later to enforce authentication and enable rate limiting on the credential validation endpoint.
  • Modify the CORS configuration to allow only trusted origins or remove the wildcard origin setting.
  • Implement or enable account lockout or rate limiting on the credential validation service to reduce the success rate of password‑spraying attempts.

Generated by OpenCVE AI on June 23, 2026 at 13:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validate_password_compliance endpoint that is callable using only the public Supabase key without authentication. The endpoint is CORS-permissive with wildcard origin allowance and lacks rate limiting, enabling attackers to perform password spraying and credential stuffing attacks to compromise user accounts.
Title Capgo - Password Spraying via Public-Key Accessible Credential Validation Endpoint
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T13:57:04.754Z

Reserved: 2026-06-19T21:50:06.625Z

Link: CVE-2026-56234

cve-icon Vulnrichment

Updated: 2026-06-23T13:56:58.755Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T13:30:03Z

Weaknesses
  • CWE-307

    Improper Restriction of Excessive Authentication Attempts