CVE Catalog

CVE-2026-56081

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

27th percentile — higher than 27% of all known CVEs

Summary

Cap-go before version 12.128.2 contains an authentication logic flaw that allows an attacker to register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker can take control of the account claimed under the victim's identity.

Risk Assessment

An attacker can gain access to the victim's account, leading to the ability to read and modify its state and enforce organization-level policies, while the legitimate user is denied access to their own account.

Recommendation

It is recommended to update Cap-go to version 12.128.2 or later to mitigate this vulnerability. Additionally, user accounts should be monitored for unauthorized changes.

Original NVD description (English source)

Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account claimed under the victim's identity, allowing them to read and modify its state and enforce organization-level policies, while the legitimate user is denied access to the account tied to their own email.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS