Cap-go – OTP Bypass via Response Manipulation in Email Verification

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Description

Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful, enabling unauthorized 2FA enablement and account takeover.

Basic Information

ID CVE-2026-56073

Source VulnCheck

Published Jun 19, 2026 at 21:39

Affected Product

Vendor Cap-go

Product capgo

Affected Versions Cap-go capgo 0

CWE Classification

CWE-345

References

{
    "lastseen": "",
    "description": "Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful, enabling unauthorized 2FA enablement and account takeover.",
    "published": "2026-06-19T21:39:18.855Z",
    "modified": "2026-06-19T21:39:18.855Z",
    "type": "cve",
    "title": "Cap-go - OTP Bypass via Response Manipulation in Email Verification",
    "source": "VulnCheck",
    "references": "https://github.com/Cap-go/capgo/security/advisories/GHSA-x2gq-85v8-j9v4\nhttps://www.vulncheck.com/advisories/cap-go-otp-bypass-via-response-manipulation-in-email-verification",
    "id": "CVE-2026-56073",
    "bulletinFamily": "",
    "cwe": [
        "CWE-345"
    ],
    "cvelist": null,
    "sourceData": "Cap-go capgo 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "capgo",
    "version": "0",
    "vendor": "Cap-go",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Cap-go – OTP Bypass via Response Manipulation in Email Verification_CVE-2026-56073