CVE-2026-56224
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
A vulnerability in Capgo console.capgo.app/login before version 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs.
Risk Assessment
The risk for the organization includes session hijacking through social engineering, potentially leading to unauthorized access to sensitive data and systems. Authentication tokens may be exposed in browser history or server logs.
Recommendation
Immediately upgrade Capgo to version 12.128.2 or later, which fixes this vulnerability. Also inform users about the risk of clicking suspicious links and consider implementing additional security measures such as request origin validation.
Original NVD description (English source)
Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs.

