CVE-2026-56318
Severity CVSS v4.0:
MEDIUM
Type:
CWE-200
Information Leak / Disclosure
Publication date:
30/06/2026
Last modified:
01/07/2026
Description
Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validate_password_compliance endpoint that returns different error responses for malformed, non-existent, and existing organization IDs. Unauthenticated attackers can enumerate valid organization UUIDs by observing response status codes and error messages, allowing confirmation of organization existence.
Impact
Base Score 4.0
6.90
Severity 4.0
MEDIUM
Base Score 3.x
5.30
Severity 3.x
MEDIUM



