All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-56224
MEDIUMpublished 2026-06-30 23:17 UTC · 4 days ago · modified 2026-07-01 14:16 UTC
5.1
CVSS / 10
// description
Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs.
// weaknesses (CWE)
- CWE-384