Description
Capgo before 12.128.2 contains improper error handling in the /private/accept_invitation endpoint that returns HTTP 500 instead of safe 4xx errors when magic_invite_string is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magic_invite_string values to cause server errors and leak internal processing details.
Published: 2026-06-30
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs in the Capgo application before version 12.128.2, where the /private/accept_invitation endpoint fails to handle an invalid magic_invite_string correctly. Instead of returning a safe 4xx error, the server responds with a generic HTTP 500 status, exposing internal processing details. This is classified as CWE‑209, which allows attackers to gain information about the system’s internal state.

Affected Systems

The affected product is Capgo, specifically any deployment of the Capgo server running a pre‑12.128.2 release. The endpoint is publicly accessible and requires only the public key to invoke the endpoint, allowing any external user to trigger the error.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. While the EPSS score is not available and the vulnerability is not listed in CISA KEV, the attack vector is straightforward: an attacker only needs to send malformed magic_invite_string values to the public endpoint. This can be automated to generate repeated 500 responses, potentially leaking system internals and creating a small but exploitable denial of service scenario.

Generated by OpenCVE AI on June 30, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later.
  • Modify the /private/accept_invitation handler to validate magic_invite_string and return an appropriate 4xx error for invalid inputs.
  • Implement rate limiting or input throttling on the invitation endpoint to reduce the impact of automated error-triggering attempts.
  • Monitor server logs for repetitive 500 responses and investigate any anomalies promptly.

Generated by OpenCVE AI on June 30, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains improper error handling in the /private/accept_invitation endpoint that returns HTTP 500 instead of safe 4xx errors when magic_invite_string is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magic_invite_string values to cause server errors and leak internal processing details.
Title Capgo - Improper Error Handling in Accept Invitation Endpoint via Invalid Magic String
Weaknesses CWE-209
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T22:08:32.681Z

Reserved: 2026-06-20T13:06:29.994Z

Link: CVE-2026-56331

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T23:30:04Z

Weaknesses
  • CWE-209

    Generation of Error Message Containing Sensitive Information