CVE-2026-56073 PUBLISHED

Cap-go - OTP Bypass via Response Manipulation in Email Verification

Assigner: VulnCheck
Reserved: 18.06.2026 Published: 19.06.2026 Updated: 19.06.2026

Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful, enabling unauthorized 2FA enablement and account takeover.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor Cap-go
Product capgo
Versions Default: unaffected
  • affected from 0 to 12.128.2 (excl.)
  • Version 12.128.2 is unaffected

Credits

  • nancyhunter191 reporter

References

Problem Types

  • Insufficient Verification of Data Authenticity CWE