CVE-2026-56081
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk27th percentile — higher than 27% of all known CVEs
Summary
Cap-go before version 12.128.2 contains an authentication logic flaw that allows an attacker to register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker can take control of the account claimed under the victim's identity.
Risk Assessment
An attacker can gain access to the victim's account, leading to the ability to read and modify its state and enforce organization-level policies, while the legitimate user is denied access to their own account.
Recommendation
It is recommended to update Cap-go to version 12.128.2 or later to mitigate this vulnerability. Additionally, user accounts should be monitored for unauthorized changes.
Original NVD description (English source)
Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account claimed under the victim's identity, allowing them to read and modify its state and enforce organization-level policies, while the legitimate user is denied access to the account tied to their own email.

