CVE-2026-56305

Capgo · Capgo

Capgo contains a vulnerability involving unverified password changes, where the application fails to validate the current password, allowing authenticated attackers to hijack accounts.

Executive summary

A critical authorization vulnerability in Capgo allows authenticated attackers to change account passwords without verifying the current password, leading to full account takeover.

Vulnerability

This issue (CWE-620) involves the absence of a required current-password validation during the password change process, which can be leveraged by an authenticated user to change the credentials of other accounts.

Business impact

This vulnerability presents a severe risk as it facilitates complete account takeover by an authenticated attacker. With a CVSS score of 8.3, the potential for unauthorized access to sensitive administrative or user data is high. Successful exploitation could lead to unauthorized system modifications, data theft, and the escalation of privileges within the affected environment.

Remediation

Immediate Action: Update Capgo to version 12.128.2 or later to ensure that current password validation is enforced during all password change operations.

Proactive Monitoring: Review user account modification logs for suspicious or unauthorized password change activity occurring across the platform.

Compensating Controls: Monitor for anomalous spikes in administrative account modifications and enforce multi-factor authentication (MFA) where possible to add a layer of defense against account takeover.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The ability for an attacker to change passwords without validation makes this a critical security flaw. Organizations must prioritize the update to version 12.128.2 to prevent account takeover and protect the integrity of user accounts within the Capgo system.