CVE-2026-56081
Received Received - Intake
Authentication Bypass in Cap-go Before 12.128.2

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description
Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account claimed under the victim's identity, allowing them to read and modify its state and enforce organization-level policies, while the legitimate user is denied access to the account tied to their own email.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-20
AI Q&A
2026-06-20
EPSS Evaluated
N/A
NVD
CVE-2026-56081
EUVD
EUVD-2026-38095
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Cap-go versions before 12.128.2 and involves a flaw in the authentication logic. It allows an attacker to register and control an account linked to a victim's email address before the email is verified.

By enabling two-factor authentication on this pre-registered account, the attacker can fully control the account under the victim's identity. This control includes reading and modifying the account's state and enforcing organization-level policies.

Meanwhile, the legitimate user is denied access to the account associated with their own email address.

Impact Analysis

The vulnerability can have severe impacts including unauthorized control over an account that appears to belong to the victim.

  • The attacker can read and modify the account's state.
  • The attacker can enforce organization-level policies, potentially disrupting normal operations.
  • The legitimate user is locked out of their own account, losing access and control.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56081. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart