Cap-go - Authentication Logic Flaw in Enforce Password Policy

An attacker who has already obtained Super Admin credentials can enable the Enforce Password Policy feature for the organization. After the Super Admin changes their password to one that meets the policy requirements, the backend fails to update the password-compliance state. The backend continues to treat the account as non-compliant, repeatedly forcing password-reset prompts and permanently locking the Super Admin out of organization access despite valid authentication [ref_id=1]. This is a self-inflicted denial-of-service condition triggered by the legitimate use of the password enforcement feature, not by an external attacker exploiting a network path.

The advisory recommends that the backend immediately update the password compliance status after a password change, validate password policy checks server-side rather than only at the UI level, clear forced-password-reset flags once compliance is achieved, and add proper error handling and logging for policy enforcement failures [ref_id=1]. No patch diff is provided in the bundle, so the exact code changes are not visible; the remediation guidance focuses on ensuring the backend synchronizes the compliance state so that a compliant password does not trigger repeated reset prompts.