CVE-2026-56312
Deferred Deferred - Pending Action

Improper Validation in Capgo Before 12.128.2

Vulnerability report for CVE-2026-56312, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains an improper validation vulnerability in the accept_invitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with invalid captcha tokens to create unwanted accounts and burn invite links.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56312 is a vulnerability in Capgo versions before 12.128.2 where the accept_invitation endpoint improperly validates captcha tokens.

Specifically, the system creates user accounts before enforcing captcha validation, allowing attackers to bypass captcha protection by sending POST requests with invalid captcha tokens.

This results in unauthorized creation of unwanted user accounts and depletion of invite links.

Impact Analysis

This vulnerability can lead to the creation of unwanted user accounts without proper captcha verification.

Attackers can exploit this to burn invite links, potentially exhausting the system's invitation capacity.

It may also cause side effects related to unauthorized account creation even if subsequent authentication fails.

Detection Guidance

This vulnerability can be detected by monitoring for unusual POST requests to the accept_invitation endpoint that include invalid or malformed CAPTCHA tokens. Such requests may indicate attempts to create user accounts without proper CAPTCHA validation.

Network or application logs should be inspected for repeated POST requests to the accept_invitation endpoint with invalid CAPTCHA tokens or unexpected account creation activity.

Suggested commands to detect this activity might include using tools like curl or wget to simulate requests, or using log analysis commands such as:

  • grep 'POST /accept_invitation' /var/log/nginx/access.log | grep 'invalid_captcha_token'
  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'accept_invitation'
  • Use application-specific logging or monitoring tools to track account creation events and correlate them with CAPTCHA validation results.
Mitigation Strategies

Immediate mitigation steps include ensuring that CAPTCHA validation is enforced before any user account creation occurs in the accept_invitation endpoint.

Specifically, modify the application logic to validate the CAPTCHA token before calling the user creation function (e.g., supabaseAdmin.auth.admin.createUser()).

If the CAPTCHA validation fails, the user account creation should be blocked or rolled back to prevent unauthorized accounts and depletion of invite links.

Additionally, monitor and limit the rate of POST requests to the accept_invitation endpoint to reduce abuse.

Apply any available patches or updates from Capgo that address this vulnerability by upgrading to version 12.128.2 or later.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56312. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart