CVE-2026-53981
Received Received - Intake
Account Takeover via Email Change in Cap-go

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: VulnCheck

Description
Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication such as password or MFA verification. Attackers can redirect verification to an attacker-controlled email address and subsequently perform a password reset to permanently take over the victim's account.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-53981
EUVD
EUVD-2026-36496
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cap-go cap-go to 12.128.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-53981 is an account takeover vulnerability in Cap-go versions prior to 12.128.2. It occurs in the email change mechanism, where an attacker who has temporary authenticated session access can change the registered email address without needing to re-authenticate, such as entering a password or completing multi-factor authentication (MFA).

Because the system only sends verification to the new email address and does not verify the change via the current email or require additional authentication, the attacker can redirect verification emails to an attacker-controlled address. This allows the attacker to perform a password reset and permanently take over the victim's account.

Impact Analysis

This vulnerability can lead to a permanent account takeover by an attacker. If exploited, an attacker with temporary access to an authenticated session can change the victim's registered email address without further authentication.

The attacker can then receive verification and password reset emails, allowing them to gain full control over the victim's account. This compromises the confidentiality and integrity of the victim's account data and may also impact availability.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-53981, you should upgrade Cap-go to version 12.128.2 or later, where the issue has been patched.

Since the vulnerability allows attackers with temporary authenticated sessions to change the registered email without re-authentication, immediate mitigation involves applying the fixed version to prevent unauthorized email changes.

Compliance Impact

The vulnerability allows an attacker to take over user accounts by changing the registered email address without re-authentication, which can lead to unauthorized access to personal and sensitive information.

Such unauthorized access and account takeover can result in violations of data protection regulations like GDPR and HIPAA, which require strict controls over user authentication and protection of personal data.

Specifically, the lack of proper authentication for critical functions (CWE-306) and improper access control (CWE-284) increases the risk of data breaches, potentially leading to non-compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53981. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart