CVE Catalog

CVE-2026-53981

HighCVSS 7.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile - higher than 18% of all known CVEs

Summary

Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication. Attackers can redirect verification to an attacker-controlled email address and subsequently perform a password reset to permanently take over the victim's account.

Risk Assessment

This vulnerability poses a serious risk to organizations, allowing attackers to take over user accounts without identity verification. This can lead to data loss and breaches of user privacy.

Recommendation

It is recommended to update Cap-go to version 12.128.2 or later to mitigate this vulnerability. Additionally, implementing extra verification mechanisms when changing email addresses is advisable.

Original NVD description (English source)

Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication such as password or MFA verification. Attackers can redirect verification to an attacker-controlled email address and subsequently perform a password reset to permanently take over the victim's account.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS