CVE-2026-56338
Received Received - Intake
Denial of Service in Capgo Due to Captcha Validation Failure

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: VulnCheck

Description
Capgo before 12.128.2 contains a denial of service vulnerability in the /auth/v1/otp endpoint that prevents email verification for two-factor authentication due to captcha validation failures. Authenticated users cannot complete 2FA enrollment as the backend consistently returns HTTP 500 errors with captcha verification process failed messages, blocking access to security controls.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-56338
EUVD
EUVD-2026-38752
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56338 is a denial of service vulnerability in Capgo versions before 12.128.2 that affects the two-factor authentication (2FA) email verification process.

The issue occurs at the /auth/v1/otp endpoint where captcha validation fails, causing the backend to return HTTP 500 errors with messages indicating captcha verification process failures.

As a result, authenticated users cannot complete 2FA enrollment because the system fails to send the verification code needed for email verification.

The root cause is either the frontend not providing a valid captcha token or a failure in the backend captcha provider, and the weakness is categorized under CWE-703 for improper handling of exceptional conditions.

Impact Analysis

This vulnerability prevents authenticated users from completing two-factor authentication (2FA) enrollment by blocking email verification.

Because the backend returns HTTP 500 errors due to captcha validation failures, users cannot enable 2FA, which is a critical security control.

This effectively blocks access to enhanced security features, potentially leaving accounts more vulnerable to unauthorized access.

Detection Guidance

This vulnerability can be detected by monitoring the /auth/v1/otp endpoint for repeated HTTP 500 errors with the message "captcha verification process failed." Such errors indicate that the backend is failing captcha validation during 2FA email verification attempts.

A practical detection method is to send a POST request to the /auth/v1/otp endpoint simulating a 2FA email verification attempt and observe the response.

  • Use curl to test the endpoint and check for HTTP 500 errors and the specific captcha failure message, for example:
  • curl -X POST https://<capgo-server>/auth/v1/otp -d '{"email":"[email protected]"}' -H 'Content-Type: application/json' -v
  • Check the response for HTTP 500 status and the message "captcha verification process failed."
Mitigation Strategies

The immediate mitigation step is to upgrade Capgo to version 12.128.2 or later, where this vulnerability has been patched.

Until the upgrade can be applied, monitor and restrict access to the /auth/v1/otp endpoint to reduce impact, and inform users about the 2FA enrollment issue.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56338. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart