Description
Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful, enabling unauthorized 2FA enablement and account takeover.
Published: 2026-06-19
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an authentication bypass that occurs in Cap-go when an attacker intercepts OTP verification requests and manipulates the HTTP response. By altering the server’s response to indicate a successful verification, an attacker can enable two‑factor authentication (2FA) on an account without proper authorization and then take full control of that account. The weakness is classified as CWE‑345, an insecure handling of authentication data.

Affected Systems

Cap‑go web application versions prior to 12.128.2 are affected. This includes all deployments of the Cap‑go product before the 12.128.2 release, regardless of host or deployment environment. No further product or vendor detail is supplied beyond the Cap‑go identifier.

Risk and Exploitability

The CVSS score of 9.3 reflects a high‑impact authentication bypass. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote; an attacker with network access can listen in on OTP verification traffic, modify the server response, and falsely mark an account as verified. Once 2FA is enabled by the attacker, the account can be accessed and fully controlled.

Generated by OpenCVE AI on June 19, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cap‑go to version 12.128.2 or later, which removes the response manipulation flaw.
  • Ensure that OTP verification traffic is transmitted over a secure, unalterable channel such as HTTPS with strict TLS verification to prevent man‑in‑the‑middle tampering.
  • Validate OTP responses server‑side only, rejecting any client‑side indication of verification success to enforce proper authentication flow.

Generated by OpenCVE AI on June 19, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful, enabling unauthorized 2FA enablement and account takeover.
Title Cap-go - OTP Bypass via Response Manipulation in Email Verification
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T21:39:18.855Z

Reserved: 2026-06-18T15:57:20.434Z

Link: CVE-2026-56073

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T23:30:05Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity