Cap-go - Account Lockout via 2FA Misconfiguration on Unverified Email

An attacker registers an account using the victim's email address without needing to verify ownership of that email [ref_id=1]. Because the signup flow does not require email verification before granting dashboard access, the attacker can log in, enable two-factor authentication (2FA), and enforce organization-level 2FA policies on the unverified account [ref_id=1]. The legitimate email owner is then permanently locked out: they cannot register (account already exists), and even after a password reset they cannot log in because 2FA is required and controlled by the attacker [ref_id=1]. This is a pre-account takeover that also constitutes a denial-of-service against the victim.

The advisory does not specify exact file paths or functions; the flaw resides in the signup and authentication flow where email verification is not enforced before dashboard access and 2FA configuration.

The advisory recommends enforcing mandatory email verification before dashboard access, blocking 2FA setup until the email is verified, and preventing policy enforcement from unverified accounts [ref_id=1]. No patch diff is provided in the bundle, so the exact code changes are not visible; however, the remediation guidance makes clear that the root cause is the lack of email ownership validation before granting account access and security feature configuration.