How is CVE-2026-56081 exploited?

Network reachability (required): The attacker reaches the vulnerable registration endpoint over the network; no prior foothold on the host is needed. Authentication (not-required): No account or credentials are needed; the attacker interacts with the public registration flow. Victim interaction (not-required): The victim does not need to click, visit, or approve anything for the attack to succeed. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, special memory layout, or environmental factors must be satisfied.

What is the impact of CVE-2026-56081?

The attacker reads all state stored in the account registered under the victim's email, including any profile data and associated records. The attacker modifies account state and configuration, such as enabling two-factor authentication to lock the legitimate owner out permanently. The attacker enforces organization-level policies under the victim's identity, potentially affecting other members of the same organization. The legitimate account owner is denied access to the account tied to their own email address for as long as the attacker controls it.

Back to search

CRITICALCVE-2026-56081Published 2026-06-19Modified 2026-06-19CNA VulnCheck

CVE-2026-56081: Cap-go - Account Lockout via 2FA Misconfiguration on Unverified Email

Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account claimed under the victim's identity, allowing them to read and modify its state and enforce organization-level policies, while the legitimate user is denied access to the account tied to their own email.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: 12.128.2
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication logic flaw in Cap-go (capgo) before version 12.128.2 allows a remote, unauthenticated attacker to register an account tied to a victim's email address before that email is verified, then lock the victim out by enabling two-factor authentication on the pre-registered account. The attacker can read account state, modify it, and enforce organization-level policies while the legitimate owner is denied access entirely. A patched-image rebuild at version 12.128.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-56081 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle capgo. Affected image layers are flagged in both registry scans and live CI/CD pipeline checks.

Available

Triage

HarborGuard scores this vulnerability at CVSS 9.3 Critical (v4.0) and weights that score against each customer environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild pinned to capgo 12.128.2 becomes available through HarborGuard once the fix version is confirmed against the upstream release. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs regression tests, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker reaches the vulnerable registration endpoint over the network; no prior foothold on the host is needed.
AuthenticationNot required
No account or credentials are needed; the attacker interacts with the public registration flow.
Victim interactionNot required
The victim does not need to click, visit, or approve anything for the attack to succeed.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, special memory layout, or environmental factors must be satisfied.

Blast Radius

The attacker reads all state stored in the account registered under the victim's email, including any profile data and associated records.
The attacker modifies account state and configuration, such as enabling two-factor authentication to lock the legitimate owner out permanently.
The attacker enforces organization-level policies under the victim's identity, potentially affecting other members of the same organization.
The legitimate account owner is denied access to the account tied to their own email address for as long as the attacker controls it.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of the CVE hitting upstream feeds, and a patched-image rebuild at capgo 12.128.2 is available for any environment confirmed to be running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes the configured regression-test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with the CVSS 9.3 Critical score and remediation context attached. Until a rebuild is deployed, consider restricting public access to the registration endpoint via network policy, or gating the unverified-email registration flow with a feature flag if the application supports it.

See how HarborGuard automates this

Fix available

12.128.2

Affected packages

Cap-go / capgo
< 12.128.2 (from 0)
Fixed in 12.128.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available