Description
Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validate_password_compliance endpoint that returns different error responses for malformed, non-existent, and existing organization IDs. Unauthenticated attackers can enumerate valid organization UUIDs by observing response status codes and error messages, allowing confirmation of organization existence.
Published: 2026-06-30
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The /private/validate_password_compliance endpoint in Capgo versions prior to 12.128.2 returns distinct error messages and status codes for malformed, non‑existent, and existing organization identifiers. This difference lets an unauthenticated actor determine which organization UUIDs are valid, revealing the presence of organizations in the system. The issue is an information disclosure vulnerability consistent with CWE‑200.

Affected Systems

Capgo (Capgo) products before version 12.128.2 are impacted. Any user able to hit the /private/validate_password_compliance endpoint without authentication can trigger the flaw and enumerate organization identifiers.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Because unauthenticated requests are sufficient and the symptom is observable through response status codes and messages, the risk is tangible and the attack vector is straightforward. A passive or active attacker can confirm organization existence with simple HTTP requests, potentially aiding further reconnaissance or targeted attacks.

Generated by OpenCVE AI on June 30, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later, where the endpoint no longer discloses organization existence.
  • Modify configuration or code to require authentication before allowing access to /private/validate_password_compliance.
  • Implement rate limiting and monitoring on the endpoint to detect and thwart enumeration attempts.

Generated by OpenCVE AI on June 30, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validate_password_compliance endpoint that returns different error responses for malformed, non-existent, and existing organization IDs. Unauthenticated attackers can enumerate valid organization UUIDs by observing response status codes and error messages, allowing confirmation of organization existence.
Title Capgo - Information Disclosure via /private/validate_password_compliance Endpoint
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T22:08:29.937Z

Reserved: 2026-06-20T12:59:07.917Z

Link: CVE-2026-56318

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T23:30:04Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor