CVE-2026-56308
Received Received - Intake

Email Address Change Without Re-authentication in Capgo

Vulnerability report for CVE-2026-56308, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulnCheck

Description

Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cookie or authenticated browser can change the account email to gain control of account recovery and bypass multi-factor authentication protections.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Capgo versions before 12.128.2 and involves insufficient authentication in the email change process.

An attacker who has access to a valid session cookie or an authenticated browser session can change the account's email address without needing to re-authenticate with the current password or verify the existing email address.

By exploiting this flaw, the attacker can take control of the account recovery process and bypass multi-factor authentication protections, effectively enabling account takeover.

Compliance Impact

The vulnerability allows attackers to take over user accounts by changing email addresses without re-authentication, which can lead to loss of control over account recovery and bypass of multi-factor authentication protections.

This situation poses high risks including audit failures, regulatory exposure, and potential financial and reputational damage.

Such risks can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strong authentication controls and protection of user data to prevent unauthorized access and ensure accountability.

Detection Guidance

This vulnerability involves the ability to change the account email without requiring current password re-authentication or verification of the existing email address. Detection would focus on monitoring for unauthorized or suspicious email change requests within Capgo versions before 12.128.2.

To detect exploitation attempts on your system or network, you should:

  • Monitor application logs for email change requests that do not require password verification.
  • Look for unusual patterns of email changes, especially from authenticated sessions without corresponding password re-authentication.
  • Check for session cookie usage anomalies that might indicate session hijacking or fixation.

Specific commands depend on your environment and logging setup, but example commands might include:

  • Using grep or similar tools to search logs for email change API calls or endpoints, e.g., `grep -i "email change" /var/log/capgo/access.log`
  • Querying web server or application logs for requests to the email change endpoint without accompanying password verification fields.
  • Using network monitoring tools to detect suspicious POST requests to the email change endpoint from authenticated sessions.

Additionally, implementing alerting on these suspicious activities can help detect exploitation attempts early.

Impact Analysis

The vulnerability can lead to serious security impacts including account takeover and bypass of multi-factor authentication protections.

  • Attackers can change the email address associated with an account without re-authentication.
  • This allows attackers to gain control over account recovery mechanisms.
  • It can result in privilege escalation and unauthorized access to sensitive information.
  • There is a risk of audit failures and reputational damage to the affected organization.
  • Business risks include financial loss, regulatory exposure, increased operational costs, and brand damage.
Mitigation Strategies

To mitigate the vulnerability in Capgo before version 12.128.2, immediate steps include requiring current-password re-authentication before allowing email address changes.

  • Confirm email changes via the existing email address to ensure legitimacy.
  • Verify the new email address before applying the change.
  • Implement stronger authentication mechanisms for high-risk accounts.
  • Rotate recovery secrets to prevent unauthorized account recovery.
  • Add rate-limiting and abuse detection to prevent automated or malicious attempts.
  • Log all email change attempts and notify users of any unauthorized modifications.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56308. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart