Skip to content
Threat Feed
high advisory

Capgo Email Change Vulnerability Bypasses Authentication (CVE-2026-56308)

A vulnerability (CVE-2026-56308) in Capgo before version 12.128.2 allows an attacker with an authenticated session to change a user's email address without re-authentication or verification of the existing email, leading to account takeover through recovery mechanisms and multi-factor authentication bypass.

A critical authentication bypass vulnerability, identified as CVE-2026-56308, affects Capgo versions prior to 12.128.2. This flaw allows an authenticated attacker to manipulate user account settings by changing the primary email address without requiring the current password for re-authentication or verification of the existing email. The vulnerability's CVSS v3.1 base score is 7.3 (High) and v4.0 is 8.4 (High), indicating significant risk. Exploitation enables attackers to hijack account recovery processes and bypass multi-factor authentication (MFA) protections, leading to full account compromise. This represents a severe threat to the confidentiality and integrity of user accounts within Capgo applications, as it provides a direct path to account takeover for any attacker who can gain initial authenticated access.

Attack Chain

  1. An attacker gains access to a valid session cookie or an already authenticated browser session belonging to a target Capgo user.
  2. The attacker uses this authenticated session to navigate to the email change functionality within the Capgo application.
  3. The attacker submits a request to modify the account's registered email address to one under their control.
  4. Due to CVE-2026-56308, the Capgo application processes this request without requiring the user to re-authenticate with their current password or verify the existing email address.
  5. The target Capgo user's email address is successfully updated to the attacker-controlled email.
  6. The attacker then initiates a password reset or account recovery process for the compromised Capgo account.
  7. The password reset link or code is sent to the newly configured attacker-controlled email address.
  8. The attacker uses the received reset information to set a new password, effectively taking full control of the victim's Capgo account and bypassing any multi-factor authentication mechanisms.

Impact

Successful exploitation of CVE-2026-56308 leads directly to full account takeover for affected Capgo users. This enables attackers to gain unauthorized access to all data and functionalities associated with the compromised account. Victims may experience loss of access to their Capgo applications, potential exposure of personal or sensitive information, and further unauthorized actions performed by the attacker using the hijacked account, including impersonation or access to connected third-party services. The bypass of multi-factor authentication renders a critical security layer ineffective, severely degrading overall account security.

Recommendation

  • Immediately patch CVE-2026-56308 by upgrading Capgo to version 12.128.2 or later to mitigate the vulnerability.
  • Review and strengthen authentication mechanisms for sensitive actions, ensuring re-authentication with the current password or multi-factor authentication is required for critical changes like email address updates.

Indicators of compromise

2

url

TypeValue
urlhttps://github.com/Cap-go/capgo/security/advisories/GHSA-9px4-w25f-mvm4
urlhttps://www.vulncheck.com/advisories/capgo-insufficient-authentication-in-email-change-endpoint