CVE-2026-56318
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-56318, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validate_password_compliance endpoint that returns different error responses for malformed, non-existent, and existing organization IDs. Unauthenticated attackers can enumerate valid organization UUIDs by observing response status codes and error messages, allowing confirmation of organization existence.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to enumerate valid organization UUIDs by observing different error responses from the /private/validate_password_compliance endpoint. This information disclosure could potentially impact compliance with standards and regulations that require protection of organizational data and prevention of unauthorized information disclosure, such as GDPR and HIPAA.

However, the provided information does not explicitly describe the direct impact on compliance with these standards or regulations.

Executive Summary

This vulnerability exists in Capgo versions before 12.128.2 in the /private/validate_password_compliance endpoint. The endpoint returns different error responses depending on whether the organization ID provided is malformed, non-existent, or valid. Because of this behavior, unauthenticated attackers can use the differences in response status codes and error messages to enumerate and confirm valid organization UUIDs.

Impact Analysis

The vulnerability allows unauthenticated attackers to discover valid organization UUIDs by analyzing the error responses from the affected endpoint. This information disclosure can lead to further targeted attacks or reconnaissance against the organizations identified, potentially compromising security or privacy.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56318. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart