Cap-go - OTP Bypass via Response Manipulation in Email Verification
Description
Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful, enabling unauthorized 2FA enablement and account takeover.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"The server trusts client-modifiable HTTP responses to determine OTP verification success instead of performing strict server-side validation."
Attack vector
An attacker intercepts the OTP verification HTTP request (e2e) and modifies the server response from a 403 error to a 200 OK with the JSON body `{"code":"otp_success","message":"valid"}`. Because the backend trusts the client-modifiable response rather than performing strict server-side OTP validation, this manipulation falsely marks the email as verified. The attacker can then enable 2FA on the victim's account or take it over, all without knowing the correct OTP [ref_id=1].
What the fix does
The advisory recommends enforcing strict server-side OTP validation, binding the verification status to server-generated tokens only, and rejecting any client-controlled verification states [ref_id=1]. The patch is not shown in the bundle, but the remediation guidance makes clear that the fix must remove trust in modifiable HTTP responses and instead cryptographically tie OTP success to the server's own session or token state. Without such changes, the server continues to accept a forged 200 OK as proof of OTP validity.
Preconditions
- networkAttacker must be able to intercept or proxy the victim's OTP verification HTTP request (e.g., through a man-in-the-middle position or by controlling the client-side traffic).
- inputThe target account must have the OTP verification feature enabled and the attacker must know the victim's account identifier.
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/Cap-go/capgo/security/advisories/GHSA-x2gq-85v8-j9v4mitrevendor-advisory
- www.vulncheck.com/advisories/cap-go-otp-bypass-via-response-manipulation-in-email-verificationmitrethird-party-advisory
News mentions
0No linked articles in our index yet.