Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs.
Metrics
Affected Vendors & Products
References
History
Tue, 30 Jun 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs. | |
| Title | Capgo - Login CSRF and Session Fixation via URL Query Parameters | |
| Weaknesses | CWE-384 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-06-30T22:08:22.873Z
Reserved: 2026-06-19T21:46:58.630Z
Link: CVE-2026-56224
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-06-30T23:30:04Z