Account Takeover Vulnerability in Cap-go Email Change Mechanism
CVE-2026-53981

7.2HIGH

Key Information:

Vendor

Cap-go

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-53981?

The Cap-go email change mechanism prior to version 12.128.2 contains a security vulnerability that permits an attacker with a temporary authenticated session to change a registered email address without the need for re-authentication measures, such as password or multi-factor authentication (MFA) verification. This flaw allows attackers to redirect email verification links to their own control, enabling them to execute a password reset and seize full control of the victim's account.

Affected Version(s)

Cap-go 0

Cap-go 0 < 12.128.2

Cap-go 6685e5f11adef257bf3d085e481f4d8ebcec602e

References

CVSS V4

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Naitik Gupta
.