CVE-2026-56081
Cap-go - Account Lockout via 2FA Misconfiguration on Unverified Email
Description
Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account claimed under the victim's identity, allowing them to read and modify its state and enforce organization-level policies, while the legitimate user is denied access to the account tied to their own email.
INFO
Published Date :
June 19, 2026, 9:39 p.m.
Last Modified :
June 19, 2026, 9:39 p.m.
Remotely Exploit :
Yes !
Source :
VulnCheck
Affected Products
The following products are affected by CVE-2026-56081
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | 83251b91-4cc7-4094-a5c7-464a1b83ea10 | ||||
| CVSS 3.1 | CRITICAL | MITRE-CVE | ||||
| CVSS 4.0 | CRITICAL | 83251b91-4cc7-4094-a5c7-464a1b83ea10 |
Solution
- Update Cap-go to version 12.128.2 or later.
- Verify email verification process.
- Review account registration security.
- Implement stricter email verification.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-56081 vulnerability anywhere in the article.