CVE Catalog

CVE-2026-56234

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Summary

Capgo before version 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validate_password_compliance endpoint that can be called using only the public Supabase key without authentication. The endpoint is CORS-permissive and lacks rate limiting, enabling attackers to perform password spraying and credential stuffing attacks.

Risk Assessment

This vulnerability poses a risk of compromising user accounts, potentially leading to unauthorized access to sensitive organizational data. Attackers can exploit this flaw to conduct mass password testing and take over accounts.

Recommendation

It is recommended to upgrade to Capgo version 12.128.2 or later and implement additional security measures such as rate limiting and requiring authentication for the endpoint. Monitoring logs for suspicious activity is also advised.

Original NVD description (English source)

Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validate_password_compliance endpoint that is callable using only the public Supabase key without authentication. The endpoint is CORS-permissive with wildcard origin allowance and lacks rate limiting, enabling attackers to perform password spraying and credential stuffing attacks to compromise user accounts.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS