PT-2026-54036 · Cap Go · Cap-Go

Judel777

·

Published

2026-06-30

·

Updated

2026-06-30

·

CVE-2026-56331

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Capgo before 12.128.2 contains improper error handling in the /private/accept invitation endpoint that returns HTTP 500 instead of safe 4xx errors when magic invite string is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magic invite string values to cause server errors and leak internal processing details.

Fix

Generation of Error Message Containing Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56331

Affected Products

Cap-Go