Impact
The /private/validate_password_compliance endpoint in Capgo versions prior to 12.128.2 returns distinct error messages and status codes for malformed, non‑existent, and existing organization identifiers. This difference lets an unauthenticated actor determine which organization UUIDs are valid, revealing the presence of organizations in the system. The issue is an information disclosure vulnerability consistent with CWE‑200.
Affected Systems
Capgo (Capgo) products before version 12.128.2 are impacted. Any user able to hit the /private/validate_password_compliance endpoint without authentication can trigger the flaw and enumerate organization identifiers.
Risk and Exploitability
The CVSS score of 6.9 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Because unauthenticated requests are sufficient and the symptom is observable through response status codes and messages, the risk is tangible and the attack vector is straightforward. A passive or active attacker can confirm organization existence with simple HTTP requests, potentially aiding further reconnaissance or targeted attacks.
OpenCVE Enrichment