<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Capgo - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/capgo/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 12 Jul 2026 12:23:44 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/capgo/feed.xml" rel="self" type="application/rss+xml"/><item><title>Capgo Email Change Vulnerability Bypasses Authentication (CVE-2026-56308)</title><link>https://feed.craftedsignal.io/briefs/2026-07-capgo-email-change-vulnerability/</link><pubDate>Sun, 12 Jul 2026 12:23:44 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-capgo-email-change-vulnerability/</guid><description>A vulnerability (CVE-2026-56308) in Capgo before version 12.128.2 allows an attacker with an authenticated session to change a user's email address without re-authentication or verification of the existing email, leading to account takeover through recovery mechanisms and multi-factor authentication bypass.</description><content:encoded><![CDATA[<p>A critical authentication bypass vulnerability, identified as CVE-2026-56308, affects Capgo versions prior to 12.128.2. This flaw allows an authenticated attacker to manipulate user account settings by changing the primary email address without requiring the current password for re-authentication or verification of the existing email. The vulnerability's CVSS v3.1 base score is 7.3 (High) and v4.0 is 8.4 (High), indicating significant risk. Exploitation enables attackers to hijack account recovery processes and bypass multi-factor authentication (MFA) protections, leading to full account compromise. This represents a severe threat to the confidentiality and integrity of user accounts within Capgo applications, as it provides a direct path to account takeover for any attacker who can gain initial authenticated access.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains access to a valid session cookie or an already authenticated browser session belonging to a target Capgo user.</li>
<li>The attacker uses this authenticated session to navigate to the email change functionality within the Capgo application.</li>
<li>The attacker submits a request to modify the account's registered email address to one under their control.</li>
<li>Due to CVE-2026-56308, the Capgo application processes this request without requiring the user to re-authenticate with their current password or verify the existing email address.</li>
<li>The target Capgo user's email address is successfully updated to the attacker-controlled email.</li>
<li>The attacker then initiates a password reset or account recovery process for the compromised Capgo account.</li>
<li>The password reset link or code is sent to the newly configured attacker-controlled email address.</li>
<li>The attacker uses the received reset information to set a new password, effectively taking full control of the victim's Capgo account and bypassing any multi-factor authentication mechanisms.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-56308 leads directly to full account takeover for affected Capgo users. This enables attackers to gain unauthorized access to all data and functionalities associated with the compromised account. Victims may experience loss of access to their Capgo applications, potential exposure of personal or sensitive information, and further unauthorized actions performed by the attacker using the hijacked account, including impersonation or access to connected third-party services. The bypass of multi-factor authentication renders a critical security layer ineffective, severely degrading overall account security.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch CVE-2026-56308 by upgrading Capgo to version 12.128.2 or later to mitigate the vulnerability.</li>
<li>Review and strengthen authentication mechanisms for sensitive actions, ensuring re-authentication with the current password or multi-factor authentication is required for critical changes like email address updates.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>authentication-bypass</category><category>account-takeover</category><category>capgo</category><category>web-application</category></item><item><title>Capgo Privilege Escalation via Retained Super_Admin Privileges (CVE-2026-56241)</title><link>https://feed.craftedsignal.io/briefs/2026-07-capgo-privesc/</link><pubDate>Sun, 12 Jul 2026 12:22:03 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-capgo-privesc/</guid><description>A privilege escalation vulnerability, CVE-2026-56241, in Capgo versions prior to 12.128.2 allows demoted super_admin users to retain access to critical RPCs, enabling them to indefinitely enumerate and bulk delete non-compliant bundles across an organization.</description><content:encoded><![CDATA[<p>A critical privilege escalation vulnerability, tracked as CVE-2026-56241, has been identified in Capgo versions released before 12.128.2. This flaw allows a previously appointed super_admin user, even after being demoted from that role, to retain unauthorized access to specific Remote Procedure Calls (RPCs): <code>delete_non_compliant_bundles</code> and <code>count_non_compliant_bundles</code>. The root cause is an issue where the <code>org_users.user_right</code> column is not properly cleared when role bindings are removed. An attacker can exploit this oversight to continue performing high-privilege actions, such as enumerating and bulk deleting non-compliant bundles across an entire organization, effectively maintaining super_admin capabilities indefinitely despite their demoted status. This vulnerability poses a significant risk to data integrity and service availability for organizations utilizing Capgo.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An adversary, previously a <code>super_admin</code> user within a Capgo organization, is officially demoted from their administrative role.</li>
<li>Due to the vulnerability (CVE-2026-56241), the <code>org_users.user_right</code> column associated with the demoted user's account is not properly cleared.</li>
<li>The demoted user exploits this oversight by continuing to invoke the <code>delete_non_compliant_bundles</code> and <code>count_non_compliant_bundles</code> RPCs.</li>
<li>The Capgo application, processing these RPCs, grants access based on the stale <code>super_admin</code> privileges.</li>
<li>The adversary successfully enumerates all non-compliant bundles within the organization.</li>
<li>The adversary proceeds to bulk delete these non-compliant bundles across the entire organization.</li>
<li>The objective is achieved, leading to unauthorized data manipulation and potential service disruption.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-56241 grants a demoted super_admin user the ability to perform indefinite and unauthorized enumeration and bulk deletion of non-compliant bundles across the entire Capgo organization. This can lead to severe data integrity issues, potential data loss, and significant service disruption by removing essential data assets. The CVSS v3.1 Base Score of 8.3 indicates a high severity risk, reflecting the critical impact on confidentiality, integrity, and availability. Organizations using affected Capgo versions face a substantial risk of malicious or accidental deletion of critical data by privileged insiders who should no longer possess such capabilities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-56241 immediately by upgrading Capgo to version 12.128.2 or later to ensure <code>org_users.user_right</code> columns are properly cleared upon role demotion.</li>
<li>Review Capgo application logs for unexpected <code>delete_non_compliant_bundles</code> or <code>count_non_compliant_bundles</code> RPC calls originating from demoted user accounts.</li>
<li>Implement robust auditing and alerting for critical administrative actions within Capgo, paying particular attention to bundle management operations by all users, especially recently demoted ones.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>privilege-escalation</category><category>vulnerability</category><category>capgo</category><category>cloud</category></item></channel></rss>