Description
Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cookie or authenticated browser can change the account email to gain control of account recovery and bypass multi-factor authentication protections.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Sun, 12 Jul 2026 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cookie or authenticated browser can change the account email to gain control of account recovery and bypass multi-factor authentication protections. | |
| Title | Capgo - Insufficient Authentication in Email Change Endpoint | |
| Weaknesses | CWE-640 | |
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-12T12:06:33.602Z
Reserved: 2026-06-20T12:53:19.893Z
Link: CVE-2026-56308
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-640
Weak Password Recovery Mechanism for Forgotten Password