Password Policy Vulnerability in Capgo by Capgo
CVE-2026-56228

6.9MEDIUM

Key Information:

Vendor: Capgo
Status: Capgo
Vendor: CVE Published:; 20 June 2026

What is CVE-2026-56228?

A serious vulnerability has been identified in Capgo, where the application fails to enforce a maximum limit on the minimum password length in its configuration settings. This allows organization administrators to set an impractically large numeric value for the minimum password length, which can reach billions of characters. As a result, once this flawed policy is activated, users, including administrators, will be unable to change their passwords or access their accounts, leading to widespread account lockouts across the organization and causing a denial of service at the application level. Immediate action is recommended to ensure that the application is updated to the latest version to mitigate this risk.

Affected Version(s)

Capgo 0 < 12.128.2

Capgo 12.128.2

References

https://github.com/Cap-go/capgo/security/advisories/GHSA-...

vendor-advisory

https://www.vulncheck.com/advisories/capgo-denial-of-serv...

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2026
Vulnerability Reserved
Jun 19, 2026

CVE-2026-56228 Data

JSON