CVE-2026-56228 Capgo CVE debrief

Who should care

Organizations using Capgo for mobile app development should prioritize this vulnerability. Specifically, Capgo administrators and security teams responsible for mobile app development, authentication, and password policy management should assess their exposure and take action to limit the risk of denial of service.

Technical summary

The vulnerability exists in Capgo's password policy configuration. An authenticated organization administrator can set an extremely large numeric value (e.g., billions of characters) as the minimum password length, making compliance impossible for all organization members. Once the policy is enabled, users (including administrators) are unable to change their passwords or access the organization, resulting in an organization-wide account lockout and application-level denial of service. The issue is patched in Capgo version 12.128.2.

Defensive priority

Medium priority due to potential for denial of service and impact on organization-wide access.

Recommended defensive actions

• Inventory Capgo instances and verify version numbers.
• Review password policy configurations for extreme values.
• Update Capgo to version 12.128.2 or later.
• Restrict administrative access to password policy configuration.
• Monitor for unusual password policy changes.

Evidence notes

The primary evidence for this vulnerability comes from the CVE record and NVD detail pages. The vulnerability affects Capgo versions prior to 12.128.2. Defenders should verify their Capgo instance version and review password policy configurations to assess exposure.

Official resources