CVE-2026-56073

critical

Description

Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful, enabling unauthorized 2FA enablement and account takeover.

References

https://www.vulncheck.com/advisories/cap-go-otp-bypass-via-response-manipulation-in-email-verification

https://github.com/Cap-go/capgo/security/advisories/GHSA-x2gq-85v8-j9v4

Details

Source: Mitre, NVD

Published: 2026-06-19

Updated: 2026-06-19

Risk Information

CVSS v2

Base Score: 9.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:P

Severity: High

CVSS v3

Base Score: 9.4

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Severity: Critical

CVSS v4

Base Score: 9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Severity: Critical