Description
Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to redirect users to arbitrary external websites. The confirmation_url parameter is not validated, enabling attackers to craft malicious links for phishing and credential harvesting attacks.
Published: 2026-06-20
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo prior to 12.128.2 implements a confirm‑signup endpoint that accepts a confirmation_url parameter without validation, allowing the application to redirect users to any external website. This flaw enables attackers to construct malicious links, facilitating phishing or credential‑harvesting campaigns. The vulnerability represents a CWE‑601 open redirect weakness, which can compromise user trust and potentially lead to credential theft.

Affected Systems

The flaw affects Capgo by Capgo, specifically all releases before version 12.128.2. Users running older Capgo deployments are vulnerable and should verify their installed version.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. Because no EPSS data is available and the vulnerability is not listed in CISA’s KEV catalog, the exploitation likelihood is uncertain but could be exploitable through crafted URLs. Attackers can trigger the redirect simply by luring a user to a link containing a malicious confirmation_url, making the attack path straightforward from a network perspective.

Generated by OpenCVE AI on June 20, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Capgo to version 12.128.2 or later to eliminate the unvalidated confirmation_url parameter
  • If an upgrade is not immediately possible, configure the application to validate or whitelist allowed redirect domains before processing confirmation_url
  • Deploy a web application firewall rule to block or inspect traffic to the confirm‑signup endpoint, rejecting requests with suspicious confirmation_url values

Generated by OpenCVE AI on June 20, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to redirect users to arbitrary external websites. The confirmation_url parameter is not validated, enabling attackers to craft malicious links for phishing and credential harvesting attacks.
Title Capgo - Open Redirect via confirmation_url Parameter
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T15:24:49.511Z

Reserved: 2026-06-20T13:06:29.994Z

Link: CVE-2026-56332

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T18:00:09Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')