CVE-2026-53981
HighCVSS 7.6Exploitation Probability (EPSS)
Low risk18th percentile - higher than 18% of all known CVEs
Summary
Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication. Attackers can redirect verification to an attacker-controlled email address and subsequently perform a password reset to permanently take over the victim's account.
Risk Assessment
This vulnerability poses a serious risk to organizations, allowing attackers to take over user accounts without identity verification. This can lead to data loss and breaches of user privacy.
Recommendation
It is recommended to update Cap-go to version 12.128.2 or later to mitigate this vulnerability. Additionally, implementing extra verification mechanisms when changing email addresses is advisable.
Original NVD description (English source)
Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication such as password or MFA verification. Attackers can redirect verification to an attacker-controlled email address and subsequently perform a password reset to permanently take over the victim's account.

