All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-56331
MEDIUMpublished 2026-06-30 23:17 UTC · 4 days ago · modified 2026-07-01 16:16 UTC
6.9
CVSS / 10
// description
Capgo before 12.128.2 contains improper error handling in the /private/accept_invitation endpoint that returns HTTP 500 instead of safe 4xx errors when magic_invite_string is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magic_invite_string values to cause server errors and leak internal processing details.
// weaknesses (CWE)
- CWE-209