Description
Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful, enabling unauthorized 2FA enablement and account takeover.
Published: 2026-06-19
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an authentication bypass that occurs in Cap-go when an attacker intercepts OTP verification requests and manipulates the HTTP response. By altering the server’s response to indicate a successful verification, an attacker can enable two‑factor authentication (2FA) on an account without proper authorization and then take full control of that account. The weakness is classified as CWE‑345, an insecure handling of authentication data.

Affected Systems

Cap‑go web application versions prior to 12.128.2 are affected. This includes all deployments of the Cap‑go product before the 12.128.2 release, regardless of host or deployment environment. No further product or vendor detail is supplied beyond the Cap‑go identifier.

Risk and Exploitability

The CVSS score of 9.3 reflects a high‑impact authentication bypass. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote; an attacker with network access can listen in on OTP verification traffic, modify the server response, and falsely mark an account as verified. Once 2FA is enabled by the attacker, the account can be accessed and fully controlled.

Generated by OpenCVE AI on June 19, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cap‑go to version 12.128.2 or later, which removes the response manipulation flaw.
  • Ensure that OTP verification traffic is transmitted over a secure, unalterable channel such as HTTPS with strict TLS verification to prevent man‑in‑the‑middle tampering.
  • Validate OTP responses server‑side only, rejecting any client‑side indication of verification success to enforce proper authentication flow.

Generated by OpenCVE AI on June 19, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Cap-go
Cap-go cap-go
Vendors & Products Cap-go
Cap-go cap-go

Mon, 22 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful, enabling unauthorized 2FA enablement and account takeover.
Title Cap-go - OTP Bypass via Response Manipulation in Email Verification
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T15:30:11.877Z

Reserved: 2026-06-18T15:57:20.434Z

Link: CVE-2026-56073

cve-icon Vulnrichment

Updated: 2026-06-22T15:27:32.326Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:30:04Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity