CVE-2026-56228
Deferred Deferred - Pending Action

Authentication Bypass in Capgo Due to Unrestricted Password Length

Vulnerability report for CVE-2026-56228, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-20

Last updated on: 2026-06-23

Assigner: VulnCheck

Description

Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. An authenticated organization administrator can set an extremely large numeric value (e.g., billions of characters) as the minimum password length, making compliance impossible for all organization members. Once the policy is enabled, users (including administrators) are unable to change their passwords or access the organization, resulting in an organization-wide account lockout and application-level denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-20
Last Modified
2026-06-23
Generated
2026-07-11
AI Q&A
2026-06-20
EPSS Evaluated
2026-07-09
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56228 is a vulnerability in Capgo versions before 12.128.2 where an authenticated organization administrator can set an extremely large minimum password length value in the password policy configuration.

Because there is no enforcement of a maximum value on this minimum password length field, administrators can input impractically large numbers (e.g., billions or trillions of characters).

This causes all users, including administrators, to be unable to change their passwords or access the organization, resulting in an organization-wide account lockout and an application-level denial of service.

Impact Analysis

This vulnerability can cause a complete denial of service for an entire organization using Capgo.

Since users cannot change their passwords or access the organization once the malicious password policy is enabled, it results in an organization-wide account lockout.

This disruption can halt productivity, prevent access to critical resources, and potentially violate service level agreements (SLAs).

Detection Guidance

This vulnerability can be detected by checking the password policy configuration in Capgo for an unusually large minimum password length value set by an authenticated organization administrator.

Since the issue involves improper input validation allowing extremely large numeric values for minimum password length, detection involves inspecting the password policy settings for values that are impractically high (e.g., billions or trillions of characters).

No specific commands are provided in the available resources, but administrators should review the password policy configuration via the Capgo administrative interface or API to identify if the minimum password length is set to an abnormally large number.

Mitigation Strategies

Immediate mitigation steps include enforcing strict maximum password length limits in the password policy configuration to prevent setting impractically large minimum password lengths.

Ensure that server-side validation is implemented to validate password policy configurations and reject extreme numeric inputs.

Administrators should review and correct any existing password policies that have excessively large minimum password length values to restore user access and prevent organization-wide lockout.

Compliance Impact

This vulnerability causes an organization-wide account lockout by allowing an administrator to set an impractically large minimum password length, making password changes and access impossible for all users.

Such a denial of service could disrupt normal operations and access to systems that may contain sensitive or regulated data, potentially impacting compliance with standards like GDPR or HIPAA that require continuous access controls and user authentication.

However, the provided information does not explicitly state the direct effects on compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56228. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart