Capgo before 12.128.2 contains an information disclosure...
Moderate severity
Unreviewed
Published
Jul 1, 2026
to the GitHub Advisory Database
•
Updated Jul 1, 2026
Description
Published by the National Vulnerability Database
Jun 30, 2026
Published to the GitHub Advisory Database
Jul 1, 2026
Last updated
Jul 1, 2026
Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validate_password_compliance endpoint that returns different error responses for malformed, non-existent, and existing organization IDs. Unauthenticated attackers can enumerate valid organization UUIDs by observing response status codes and error messages, allowing confirmation of organization existence.
References