CVE-2026-56305
Deferred Deferred - Pending Action

Authentication Bypass in Capgo Allows Password Change Without Current Password

Vulnerability report for CVE-2026-56305, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change endpoint that allows attackers to change user passwords without requiring current password confirmation. Attackers with temporary session access can exploit this flaw to permanently lock out legitimate users and achieve full account takeover.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-620 When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Capgo versions before 12.128.2 contain an authentication bypass vulnerability in the password change endpoint. This flaw occurs because the system does not require confirmation of the current password when changing to a new one.

Attackers who have temporary access to a user sessionβ€”such as through stolen cookies, shared device access, cross-site scripting (XSS), or exposed tokensβ€”can exploit this vulnerability to change the user's password without knowing the original password.

This allows attackers to permanently lock out legitimate users and take full control of their accounts.

Impact Analysis

This vulnerability can have severe impacts including full account takeover by attackers.

  • Attackers can lock out legitimate users permanently by changing their passwords without authorization.
  • Compromised accounts can be misused for unauthorized financial transactions, internal operations, or accessing sensitive data.
  • Users face operational burdens such as recovery requests and manual password resets.
  • The platform may suffer reputational damage and operational disruptions.
Compliance Impact

This vulnerability exposes the platform to regulatory non-compliance risks.

By allowing unauthorized account takeovers and potential access to sensitive personal or protected health information, it can lead to violations of standards such as GDPR and HIPAA.

Such breaches can result in legal penalties, loss of trust, and increased scrutiny from regulatory bodies.

Mitigation Strategies

Immediate mitigation steps include implementing mandatory current password verification during password changes to prevent unauthorized updates.

Enable multi-factor authentication (MFA) triggers for password changes to add an additional layer of security.

Invalidate user sessions immediately after a password update to prevent continued access with compromised sessions.

Set up real-time user notifications for password changes to alert users of any unauthorized activity.

Enhance auditing and implement anomaly detection to identify suspicious password change attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56305. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart