{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/capgo/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-56308"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Capgo (before 12.128.2)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","authentication-bypass","account-takeover","capgo","web-application"],"_cs_type":"advisory","_cs_vendors":["Capgo"],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, identified as CVE-2026-56308, affects Capgo versions prior to 12.128.2. This flaw allows an authenticated attacker to manipulate user account settings by changing the primary email address without requiring the current password for re-authentication or verification of the existing email. The vulnerability's CVSS v3.1 base score is 7.3 (High) and v4.0 is 8.4 (High), indicating significant risk. Exploitation enables attackers to hijack account recovery processes and bypass multi-factor authentication (MFA) protections, leading to full account compromise. This represents a severe threat to the confidentiality and integrity of user accounts within Capgo applications, as it provides a direct path to account takeover for any attacker who can gain initial authenticated access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to a valid session cookie or an already authenticated browser session belonging to a target Capgo user.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this authenticated session to navigate to the email change functionality within the Capgo application.\u003c/li\u003e\n\u003cli\u003eThe attacker submits a request to modify the account's registered email address to one under their control.\u003c/li\u003e\n\u003cli\u003eDue to CVE-2026-56308, the Capgo application processes this request without requiring the user to re-authenticate with their current password or verify the existing email address.\u003c/li\u003e\n\u003cli\u003eThe target Capgo user's email address is successfully updated to the attacker-controlled email.\u003c/li\u003e\n\u003cli\u003eThe attacker then initiates a password reset or account recovery process for the compromised Capgo account.\u003c/li\u003e\n\u003cli\u003eThe password reset link or code is sent to the newly configured attacker-controlled email address.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the received reset information to set a new password, effectively taking full control of the victim's Capgo account and bypassing any multi-factor authentication mechanisms.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-56308 leads directly to full account takeover for affected Capgo users. This enables attackers to gain unauthorized access to all data and functionalities associated with the compromised account. Victims may experience loss of access to their Capgo applications, potential exposure of personal or sensitive information, and further unauthorized actions performed by the attacker using the hijacked account, including impersonation or access to connected third-party services. The bypass of multi-factor authentication renders a critical security layer ineffective, severely degrading overall account security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch CVE-2026-56308 by upgrading Capgo to version 12.128.2 or later to mitigate the vulnerability.\u003c/li\u003e\n\u003cli\u003eReview and strengthen authentication mechanisms for sensitive actions, ensuring re-authentication with the current password or multi-factor authentication is required for critical changes like email address updates.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-12T12:23:44Z","date_published":"2026-07-12T12:23:44Z","id":"https://feed.craftedsignal.io/briefs/2026-07-capgo-email-change-vulnerability/","summary":"A vulnerability (CVE-2026-56308) in Capgo before version 12.128.2 allows an attacker with an authenticated session to change a user's email address without re-authentication or verification of the existing email, leading to account takeover through recovery mechanisms and multi-factor authentication bypass.","title":"Capgo Email Change Vulnerability Bypasses Authentication (CVE-2026-56308)","url":"https://feed.craftedsignal.io/briefs/2026-07-capgo-email-change-vulnerability/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-56241"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Capgo"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","vulnerability","capgo","cloud"],"_cs_type":"advisory","_cs_vendors":["Capgo"],"content_html":"\u003cp\u003eA critical privilege escalation vulnerability, tracked as CVE-2026-56241, has been identified in Capgo versions released before 12.128.2. This flaw allows a previously appointed super_admin user, even after being demoted from that role, to retain unauthorized access to specific Remote Procedure Calls (RPCs): \u003ccode\u003edelete_non_compliant_bundles\u003c/code\u003e and \u003ccode\u003ecount_non_compliant_bundles\u003c/code\u003e. The root cause is an issue where the \u003ccode\u003eorg_users.user_right\u003c/code\u003e column is not properly cleared when role bindings are removed. An attacker can exploit this oversight to continue performing high-privilege actions, such as enumerating and bulk deleting non-compliant bundles across an entire organization, effectively maintaining super_admin capabilities indefinitely despite their demoted status. This vulnerability poses a significant risk to data integrity and service availability for organizations utilizing Capgo.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary, previously a \u003ccode\u003esuper_admin\u003c/code\u003e user within a Capgo organization, is officially demoted from their administrative role.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability (CVE-2026-56241), the \u003ccode\u003eorg_users.user_right\u003c/code\u003e column associated with the demoted user's account is not properly cleared.\u003c/li\u003e\n\u003cli\u003eThe demoted user exploits this oversight by continuing to invoke the \u003ccode\u003edelete_non_compliant_bundles\u003c/code\u003e and \u003ccode\u003ecount_non_compliant_bundles\u003c/code\u003e RPCs.\u003c/li\u003e\n\u003cli\u003eThe Capgo application, processing these RPCs, grants access based on the stale \u003ccode\u003esuper_admin\u003c/code\u003e privileges.\u003c/li\u003e\n\u003cli\u003eThe adversary successfully enumerates all non-compliant bundles within the organization.\u003c/li\u003e\n\u003cli\u003eThe adversary proceeds to bulk delete these non-compliant bundles across the entire organization.\u003c/li\u003e\n\u003cli\u003eThe objective is achieved, leading to unauthorized data manipulation and potential service disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-56241 grants a demoted super_admin user the ability to perform indefinite and unauthorized enumeration and bulk deletion of non-compliant bundles across the entire Capgo organization. This can lead to severe data integrity issues, potential data loss, and significant service disruption by removing essential data assets. The CVSS v3.1 Base Score of 8.3 indicates a high severity risk, reflecting the critical impact on confidentiality, integrity, and availability. Organizations using affected Capgo versions face a substantial risk of malicious or accidental deletion of critical data by privileged insiders who should no longer possess such capabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-56241 immediately by upgrading Capgo to version 12.128.2 or later to ensure \u003ccode\u003eorg_users.user_right\u003c/code\u003e columns are properly cleared upon role demotion.\u003c/li\u003e\n\u003cli\u003eReview Capgo application logs for unexpected \u003ccode\u003edelete_non_compliant_bundles\u003c/code\u003e or \u003ccode\u003ecount_non_compliant_bundles\u003c/code\u003e RPC calls originating from demoted user accounts.\u003c/li\u003e\n\u003cli\u003eImplement robust auditing and alerting for critical administrative actions within Capgo, paying particular attention to bundle management operations by all users, especially recently demoted ones.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-12T12:22:03Z","date_published":"2026-07-12T12:22:03Z","id":"https://feed.craftedsignal.io/briefs/2026-07-capgo-privesc/","summary":"A privilege escalation vulnerability, CVE-2026-56241, in Capgo versions prior to 12.128.2 allows demoted super_admin users to retain access to critical RPCs, enabling them to indefinitely enumerate and bulk delete non-compliant bundles across an organization.","title":"Capgo Privilege Escalation via Retained Super_Admin Privileges (CVE-2026-56241)","url":"https://feed.craftedsignal.io/briefs/2026-07-capgo-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed - Capgo","version":"https://jsonfeed.org/version/1.1"}