Skip to main content

Cap-go Capgo CVE-2026-53981

| EUVDEUVD-2026-36496 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-12 VulnCheck
7.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable email-change endpoint (AV:N/AC:L); requires a temporary authenticated session so PR:L; no victim interaction (UI:N); full account takeover yields C:H/I:H, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 12, 2026 - 17:30 vuln.today
Analysis Generated
Jun 12, 2026 - 17:30 vuln.today

DescriptionCVE.org

Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication such as password or MFA verification. Attackers can redirect verification to an attacker-controlled email address and subsequently perform a password reset to permanently take over the victim's account.

AnalysisAI

Account takeover in Cap-go (Capgo) versions prior to 12.128.2 allows an attacker holding a temporary authenticated session to change the account's registered email address without re-authentication (no password or MFA prompt), then trigger a password reset to attacker-controlled inbox and seize the account. The flaw, reported by VulnCheck and tracked as a missing-authentication weakness (CWE-306), has a vendor patch but no public exploit identified at time of analysis.

Technical ContextAI

Capgo is a self-hostable live-update / OTA platform for Capacitor mobile apps, with its backend implemented as Supabase Edge Functions (TypeScript/Deno) - the patched commit 6685e5f bumps the supabase/functions/_backend/utils/version.ts version constant from 12.128.1 to 12.128.2. The vulnerable code path is the email-change mechanism inside this Supabase-backed auth flow, which accepted a new email address using only the existing session cookie/JWT and did not re-verify the user's password or MFA factor before issuing a verification email to the new address. This is a textbook CWE-306 (Missing Authentication for Critical Function): a security-sensitive identity-changing operation reuses the ambient session instead of requiring step-up authentication, which is the standard control for email/password/MFA changes.

RemediationAI

Vendor-released patch: Capgo 12.128.2 - operators of self-hosted Capgo instances should upgrade to 12.128.2 or later (commit 6685e5f11adef257bf3d085e481f4d8ebcec602e on the Cap-go/capgo repository) as published in advisory GHSA-w56g-jv78-hf79. If an immediate upgrade is not possible, compensating controls include disabling self-service email change in the Supabase Edge Function exposing the change-email endpoint (forcing email changes to go through admin/support), shortening session lifetimes and invalidating sessions on sensitive account changes, and requiring users to re-authenticate (password + MFA where enabled) at the gateway/reverse-proxy layer before reaching the email-change route - the trade-off is degraded self-service UX and additional support load. Operators should also audit recent email-change and password-reset events for anomalies and force-reset credentials on any account that changed email shortly before a password reset.

Share

CVE-2026-53981 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy