HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-56073Published Modified CNA VulnCheck

CVE-2026-56073: Cap-go - OTP Bypass via Response Manipulation in Email Verification

Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful, enabling unauthorized 2FA enablement and account takeover.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
12.128.2
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authentication bypass vulnerability in Cap-go (the capgo package) affecting versions before 12.128.2. The flaw is reachable over the network with no authentication required, meaning any attacker who can intercept or proxy HTTP traffic between the client and server can manipulate OTP verification responses to make the server treat a failed check as successful. Successful exploitation enables unauthorized two-factor authentication enablement and full account takeover. A patched-image rebuild at version 12.128.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-56073 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle capgo.

Available
Triage

HarborGuard scores this CVE at 9.3 CRITICAL using the CVSS v4.0 vector and surfaces it accordingly in each customer organization's triage queue. Per-environment compliance policy weighting is applied to route the alert to the appropriate team inbox based on configured severity thresholds and ownership rules.

Available
Patch

A patched-image rebuild at capgo 12.128.2 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the OTP verification endpoint over the network, exposing any internet-accessible or network-reachable deployment to exploitation.

  • AuthenticationNot required

    No account credentials or prior authentication are needed to attempt response manipulation against the verification endpoint.

  • Victim interactionNot required

    The attacker does not need any action from a legitimate user to intercept and modify the HTTP response.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special preconditions, race conditions, or environmental factors beyond network access.

Blast Radius

  • A successful attacker bypasses email OTP verification entirely, gaining the ability to enroll unauthorized two-factor authentication methods on a target account.
  • With 2FA under attacker control, the attacker can complete a full account takeover, locking out the legitimate owner and assuming their identity within the application.
  • Confidentiality impact is high: the attacker gains read access to all data and resources accessible under the compromised account.
  • Integrity impact is high: the attacker can modify account settings, persisted user data, and any application records the compromised account can write.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any customer image containing capgo below 12.128.2, across both registry scans and pipeline checks. Where compliance policy permits, a rebuilt image at capgo 12.128.2 is made available immediately, and customers with auto-remediation enabled receive a regression-tested rebuild plus a pull request opened against affected workloads. For high and critical severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who have not enabled auto-remediation should prioritize a manual rebuild to 12.128.2 and, in the interim, consider placing the OTP verification endpoint behind a network policy that restricts access to trusted origins only, reducing the opportunity for response interception.

See how HarborGuard automates this

Fix available

12.128.2
Affected packages
  • Cap-go / capgo
    < 12.128.2 (from 0)
    Fixed in 12.128.2
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
References