CVE-2026-56224
MEDIUMDescription
Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2026-56224? +
How severe is CVE-2026-56224? +
How do I check if I'm vulnerable to CVE-2026-56224? +
Related Vulnerabilities
A malicious actor can fix the session of a PAM user by tricking the user to click on a specially …
QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same …
KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with …
An improper session validation allows an unauthenticated attacker to cause certain request notifications to be executed in the context of …
Session fixation vulnerability in Wikimedia Foundation OAuth. This vulnerability is associated with program files src/Backend/MWOAuthServer.Php. This issue affects OAuth: from …
When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized …