CVE-2026-56073
published 2026-06-19CVE-2026-56073: Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying…
PriorityP263critical9.4CVSS 3.1
AVNACLPRNUINSUCHIHAL
EPSS
0.19%
8.6th percentile
Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful, enabling unauthorized 2FA enablement and account takeover.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cap-go | capgo | < 12.128.2 | 12.128.2 |
CVSS provenance
nvdv3.19.4CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Cap-go capgo up to 12.128.1 data authenticity (GHSA-x2gq-85v8-j9v4 / EUVD-2026-38092)
vuldb·2026-06-20·CVSS 9.4
CVE-2026-56073 [CRITICAL] Cap-go capgo up to 12.128.1 data authenticity (GHSA-x2gq-85v8-j9v4 / EUVD-2026-38092)
A vulnerability was found in Cap-go capgo up to 12.128.1 and classified as very critical. This impacts an unknown function. Executing a manipulation can lead to insufficient verification of data authenticity.
This vulnerability is tracked as CVE-2026-56073. The attack can be launched remotely. No exploit exists.
It is suggested to upgrade the affected component.
GHSA
Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses.
ghsa_unreviewed·2026-06-20
CVE-2026-56073 [CRITICAL] CWE-345 Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses.
Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful, enabling unauthorized 2FA enablement and account takeover.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-19
Published