Description
Capgo before 12.128.2 contains a denial of service vulnerability in the /auth/v1/otp endpoint that prevents email verification for two-factor authentication due to captcha validation failures. Authenticated users cannot complete 2FA enrollment as the backend consistently returns HTTP 500 errors with captcha verification process failed messages, blocking access to security controls.
Published: 2026-06-24
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo versions prior to 12.128.2 contain a denial‑of‑service flaw in the /auth/v1/otp endpoint that causes captcha verification to fail repeatedly. The backend then returns HTTP 500 errors with a captcha verification failed message, preventing authenticated users from completing two‑factor authentication enrollment. The vulnerability is a functional failure classified as CWE‑703 and blocks a critical security control.

Affected Systems

The vulnerable product is Capgo. Versions before 12.128.2 (i.e., 12.128.1 or earlier) are impacted. Any installation running those earlier releases is at risk.

Risk and Exploitability

The CVSS score of 6.9 denotes moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is repeated requests to the /auth/v1/otp endpoint that trigger captcha failures. An attacker with valid credentials could repeatedly request OTPs to disable 2FA enrollment for victim accounts, or an automated script could abuse the endpoint to cause widespread denial of service for users attempting to activate two‑factor authentication. While exploitation does not grant direct access to encrypted data, it undermines account security by blocking an essential defense mechanism.

Generated by OpenCVE AI on June 24, 2026 at 13:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Capgo 12.128.2 or newer to address the captcha validation bug.
  • Adjust OTP endpoint error handling so that captcha failures return a non‑fatal error code instead of HTTP 500, preserving 2FA enrollment flow.
  • Monitor OTP logs for abnormal request patterns and apply rate limiting or additional controls to mitigate hostile abuse of the endpoint.

Generated by OpenCVE AI on June 24, 2026 at 13:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Cap-go
Cap-go cap-go
Vendors & Products Cap-go
Cap-go cap-go

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains a denial of service vulnerability in the /auth/v1/otp endpoint that prevents email verification for two-factor authentication due to captcha validation failures. Authenticated users cannot complete 2FA enrollment as the backend consistently returns HTTP 500 errors with captcha verification process failed messages, blocking access to security controls.
Title Capgo - Denial of Service in 2FA Email Verification via /auth/v1/otp Endpoint
Weaknesses CWE-703
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Cap-go Cap-go
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T14:59:10.684Z

Reserved: 2026-06-20T13:13:56.012Z

Link: CVE-2026-56338

cve-icon Vulnrichment

Updated: 2026-06-24T14:59:05.265Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:45:06Z

Weaknesses
  • CWE-703

    Improper Check or Handling of Exceptional Conditions