CVE-2026-56338 | Capgo before 12.128.2 contains a denial of service vulnerabi… | CVSS 5.3 MEDIUM

Description

Capgo before 12.128.2 contains a denial of service vulnerability in the /auth/v1/otp endpoint that prevents email verification for two-factor authentication due to captcha validation failures. Authenticated users cannot complete 2FA enrollment as the backend consistently returns HTTP 500 errors with captcha verification process failed messages, blocking access to security controls.

Metadata

CVE ID: CVE-2026-56338
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 13:13 UTC
Published: 2026-06-24 11:53 UTC
Last updated: 2026-06-24 11:53 UTC
Primary CWE: CWE-703
Improper Check or Handling of Exceptional Conditions
Vendor / Product: Capgo / Capgo
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products (1)

Vendor	Product	Platform	Versions
Capgo	Capgo	—	0 < 12.128.2, 12.128.2

Weakness (CWE)

CWE	Source	Description
CWE-703	cna	Improper Check or Handling of Exceptional Conditions

CVSS scores (2)

Score	Severity	Version	Source	Vector
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
5.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (2)

GitHub Security Advisory (GHSA-m53g-7gcj-x6f7) https://github.com/Cap-go/capgo/security/advisories/GHSA-m53g-7gcj-x6f7
VulnCheck Advisory: Capgo - Denial of Service in 2FA Email Verification via /auth/v1/otp Endpoint https://www.vulncheck.com/advisories/capgo-denial-of-service-in-2fa-email-verification-via-auth-v1-otp-endpoint