Description
Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account claimed under the victim's identity, allowing them to read and modify its state and enforce organization-level policies, while the legitimate user is denied access to the account tied to their own email.
Published: 2026-06-19
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cap‑go versions prior to 12.128.2 contain an authentication logic flaw that lets an attacker register an account and bind it to a victim’s email address before the email is verified. Once the attacker enables two‑factor authentication on this pre‑registered account, they can assume control over the account claimed under the victim’s identity, read and modify its state, enforce organization‑level policies, and prevent the legitimate owner from accessing the account tied to their own email address. This reflects a high‑severity account takeover scenario amplified by a 2FA misconfiguration.

Affected Systems

Cap‑go by Cap‑go, affecting all deployments running any version earlier than 12.128.2.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical impact. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog, but the potential for widespread account hijacking remains high. The likely attack vector is through the public account registration endpoint, where an attacker can provide a victim’s email address and subsequently enable 2FA before verification. An attacker in the role of a legitimate user can launch this without additional credentials, making exploitation straightforward for a motivated threat actor.

Generated by OpenCVE AI on June 19, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Cap‑go to version 12.128.2 or later
  • Enforce email verification before permitting two‑factor authentication for any account
  • Monitor account registration and 2FA enablement logs for anomalous activity

Generated by OpenCVE AI on June 19, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account claimed under the victim's identity, allowing them to read and modify its state and enforce organization-level policies, while the legitimate user is denied access to the account tied to their own email.
Title Cap-go - Account Lockout via 2FA Misconfiguration on Unverified Email
Weaknesses CWE-640
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T21:39:20.935Z

Reserved: 2026-06-18T15:57:20.434Z

Link: CVE-2026-56081

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T23:30:05Z

Weaknesses
  • CWE-640

    Weak Password Recovery Mechanism for Forgotten Password