Authentication Logic Flaw in Capgo by Capgo
CVE-2026-56080

6.9MEDIUM

Key Information:

Vendor: Cap-go
Status: Capgo
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-56080?

A flaw in Capgo's Enforce Password Policy feature exists in versions prior to 12.128.2. When a Super Admin successfully updates their password to meet compliance standards, the backend does not reflect this change in the password-compliance status. Consequently, the system continues to categorize the Super Admin's account as non-compliant, resulting in an incessant cycle of password-reset prompts that can ultimately lock the Super Admin out of their account. This flaw may lead to significant operational disruptions, as authenticated users may be denied access to organizational resources.

Affected Version(s)

capgo 0 < 12.128.2

capgo 12.128.2

References

https://github.com/Cap-go/capgo/security/advisories/GHSA-...

vendor-advisory

https://www.vulncheck.com/advisories/cap-go-authenticatio...

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
Jun 18, 2026

CVE-2026-56080 Data

JSON