CVE-2026-56073 | Cap-go before 12.128.2 contains an authentication bypass vul… | CVSS 9.4 CRITICAL

Description

Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful, enabling unauthorized 2FA enablement and account takeover.

Metadata

CVE ID: CVE-2026-56073
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-18 15:57 UTC
Published: 2026-06-19 21:39 UTC
Last updated: 2026-06-19 21:39 UTC
Primary CWE: CWE-345
Insufficient Verification of Data Authenticity
Vendor / Product: Cap-go / capgo
Sources: cve.org · NVD

Severity & Metrics

9.4 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Affected products (1)

Vendor	Product	Platform	Versions
Cap-go	capgo	—	0 < 12.128.2, 12.128.2

Weakness (CWE)

CWE	Source	Description
CWE-345	cna	Insufficient Verification of Data Authenticity

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.4	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
9.3	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

References (2)

GHSA Advisory GHSA-x2gq-85v8-j9v4 https://github.com/Cap-go/capgo/security/advisories/GHSA-x2gq-85v8-j9v4
VulnCheck Advisory: Cap-go - OTP Bypass via Response Manipulation in Email Verification https://www.vulncheck.com/advisories/cap-go-otp-bypass-via-response-manipulation-in-email-verification