CVE-2026-56318
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
A vulnerability in Capgo before version 12.128.2 discloses information via the /private/validate_password_compliance endpoint, which returns different error responses for malformed, non-existent, and existing organization IDs. Unauthenticated attackers can enumerate valid organization UUIDs by observing response status codes and error messages.
Risk Assessment
The risk is that an unauthenticated attacker can confirm the existence of organizations, which could be leveraged for further targeted attacks against specific organizations.
Recommendation
Immediately upgrade Capgo to version 12.128.2 or later, which includes a fix that eliminates the differentiation of error responses.
Original NVD description (English source)
Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validate_password_compliance endpoint that returns different error responses for malformed, non-existent, and existing organization IDs. Unauthenticated attackers can enumerate valid organization UUIDs by observing response status codes and error messages, allowing confirmation of organization existence.

