VYPR
← All advisories
High severity7.6NVD Advisory· Published Jun 12, 2026· Updated Jun 12, 2026

CVE-2026-53981

CVE-2026-53981

Description

Cap-go prior to 12.128.2 allows account takeover via an insecure email change mechanism that does not require re-authentication.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cap-go prior to 12.128.2 allows account takeover via an insecure email change mechanism that does not require re-authentication.

Vulnerability

Cap-go versions prior to 12.128.2 contain an account takeover vulnerability (CWE-306: Missing Authentication for Critical Function) in the email change mechanism. When a logged-in user changes their registered email address, the verification process is only sent to the new email and not to the existing registered email, and the change requires no re-authentication (password or MFA). This allows an attacker with temporary authenticated session access to change the email to an attacker-controlled address without validation [1][3].

Exploitation

An attacker who gains temporary access to an authenticated session (e.g., through a public or shared computer where the victim forgot to log out) can navigate to Account Settings, change the registered email from the victim's address to an attacker-controlled one, and then click the verification link sent to that attacker-controlled email. The change is completed without requiring the victim's password, MFA, or any confirmation sent to the original email. The attacker can then initiate a password reset via the new email to permanently take over the account [1].

Impact

Successful exploitation results in permanent account takeover. The attacker gains full control of the victim's account, including the ability to reset the password, lock the legitimate user out, access sensitive data, and perform actions as the victim. If the account is linked to financial data, personal data, or other critical resources, the impact escalates accordingly [1][3].

Mitigation

The vulnerability is fixed in Cap-go version 12.128.2, released in commit 6685e5f [2]. All users are strongly advised to upgrade to 12.128.2 or later. No workarounds have been disclosed, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. Account Takeover via Insecure Email Change Mechanism
  2. chore(release): 12.128.2 · Cap-go/capgo@6685e5f
  3. Cap-go < v12.128.2 Account Takeover via Unauthenticated Email Change Mechanism

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Cap Go/Capgoreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <12.128.2

Patches

1
6685e5f11ade

chore(release): 12.128.2

https://github.com/cap-go/capgogithub-actions[bot]May 6, 2026via nvd-ref
commit
2 files changed · +2 2
  • package.json+1 1 modified
    @@ -1,7 +1,7 @@
 {
   "name": "capgo-app",
   "type": "module",
-  "version": "12.128.1",
+  "version": "12.128.2",
   "private": true,
   "workspaces": [
     "cli"
  • supabase/functions/_backend/utils/version.ts+1 1 modified
    @@ -1,3 +1,3 @@
-export const version = '12.128.1'
+export const version = '12.128.2'
 
 // This is automatically generated by the update-version.js script don't edit it manually

Vulnerability mechanics

Root cause

"No re-authentication (password or MFA) required for email change and verification sent only to the new email address, not the existing registered email."

Attack vector

An attacker with temporary access to an authenticated session (e.g., on a shared or public computer where the victim forgot to log out) can navigate to Account Settings → Change Email and replace the victim's email with an attacker-controlled address. The verification email is sent only to the new email, so the attacker can verify the change without any confirmation sent to the original email. Once the email is changed, the attacker can perform a password reset to permanently take over the account [ref_id=1].

Affected code

The vulnerability exists in the email change mechanism of Cap-go (console.capgo.app). When a logged-in user changes their account email, the verification process is only sent to the new email address, not the existing registered email. No re-authentication (password or MFA) is required to perform this sensitive action.

What the fix does

The advisory does not include a patch diff, but the recommended fix is to require re-authentication (password or MFA) before allowing an email change, send a verification link to the currently registered email address, and send a security alert to the old email upon any change. Without these controls, an attacker with temporary session access can permanently lock out the legitimate user [ref_id=1].

Preconditions

  • authAttacker must have access to an authenticated session of the victim (e.g., on a shared or public computer where the victim forgot to log out)
  • inputAttacker must control an email address to receive the verification link
  • configVictim's session must still be active on the device the attacker accesses

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.