CVE-2026-56081
published 2026-06-19CVE-2026-56081: Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before…
PriorityP261critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.35%
27.0th percentile
Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account claimed under the victim's identity, allowing them to read and modify its state and enforce organization-level policies, while the legitimate user is denied access to the account tied to their own email.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cap-go | capgo | < 12.128.2 | 12.128.2 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified.
ghsa_unreviewed·2026-06-20
CVE-2026-56081 [CRITICAL] CWE-640 Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified.
Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account claimed under the victim's identity, allowing them to read and modify its state and enforce organization-level policies, while the legitimate user is denied access to the account tied to their own email.
VulDB
Cap-go capgo up to 12.128.1 password recovery (GHSA-j4cx-5pw6-5v5j / EUVD-2026-38095)
vuldb·2026-06-20·CVSS 9.1
CVE-2026-56081 [CRITICAL] Cap-go capgo up to 12.128.1 password recovery (GHSA-j4cx-5pw6-5v5j / EUVD-2026-38095)
A vulnerability was found in Cap-go capgo up to 12.128.1. It has been rated as critical. Affected by this issue is some unknown functionality. This manipulation causes weak password recovery.
This vulnerability is registered as CVE-2026-56081. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-19
Published