CVE-2026-56080
published 2026-06-19CVE-2026-56080: Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and successfully changes their password to…
PriorityP428medium4.9CVSS 3.1
AVNACLPRHUINSUCNINAH
EPSS
0.30%
21.5th percentile
Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not update the password-compliance state. As a result, the backend continues to treat the account as non-compliant and repeatedly forces password-reset prompts, permanently locking the Super Admin out of organization access (organization lockout / denial of service) despite valid authentication.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cap-go | capgo | < 12.128.2 | 12.128.2 |
CVSS provenance
nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Cap-go capgo up to 12.128.1 Enforce Password Policy Feature improper authentication (GHSA-78rv-3cqj-36xq / EUVD-2026-38094)
vuldb·2026-06-20·CVSS 4.9
CVE-2026-56080 [MEDIUM] Cap-go capgo up to 12.128.1 Enforce Password Policy Feature improper authentication (GHSA-78rv-3cqj-36xq / EUVD-2026-38094)
A vulnerability was found in Cap-go capgo up to 12.128.1. It has been classified as critical. Affected is an unknown function of the component Enforce Password Policy Feature. The manipulation leads to improper authentication.
This vulnerability is listed as CVE-2026-56080. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is recommended.
GHSA
Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not up
ghsa_unreviewed·2026-06-20
CVE-2026-56080 [MEDIUM] CWE-287 Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not up
Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not update the password-compliance state. As a result, the backend continues to treat the account as non-compliant and repeatedly forces password-reset prompts, permanently locking the Super Admin out of organization access (organization lockout / denial of service) despite valid authentication.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-19
Published