CVE Catalog

CVE-2026-56224

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile — higher than 9% of all known CVEs

Summary

A vulnerability in Capgo console.capgo.app/login before version 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs.

Risk Assessment

The risk for the organization includes session hijacking through social engineering, potentially leading to unauthorized access to sensitive data and systems. Authentication tokens may be exposed in browser history or server logs.

Recommendation

Immediately upgrade Capgo to version 12.128.2 or later, which fixes this vulnerability. Also inform users about the risk of clicking suspicious links and consider implementing additional security measures such as request origin validation.

Original NVD description (English source)

Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS