The flaw allows a temporary authenticated session to change a user’s registered email address without undergoing a secondary authentication step such as password or MFA verification. Once the email address is redirected to an attacker-controlled inbox, the attacker can trigger a password reset and completely take control of the victim’s account. This directly compromises the confidentiality, integrity and availability of the affected user data and services. The weakness is a classic case of missing re‑authentication for a privileged action, documented as CWE‑306.

Cap‑go deployments running any version earlier than 12.128.2 are affected. The vulnerability exists in the default email change mechanism of the Cap‑go application and applies to all installations of the Cap‑go product that have not applied this specific patch or later releases.

The CVSS score is 7.2, indicating a high severity that could lead to full account takeover. The EPSS score is not available, but the vulnerability can be exploited remotely with minimal prerequisites – an attacker can acquire a temporary session token, execute the unauthenticated email change, receive a verification email, and reset the password. It is not listed in the CISA KEV catalog, but the risk of exploitation remains significant due to the nature of the attack vector and the ease of abuse given the lack of re‑authentication.