Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable email-change endpoint (AV:N/AC:L); requires a temporary authenticated session so PR:L; no victim interaction (UI:N); full account takeover yields C:H/I:H, no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication such as password or MFA verification. Attackers can redirect verification to an attacker-controlled email address and subsequently perform a password reset to permanently take over the victim's account.
AnalysisAI
Account takeover in Cap-go (Capgo) versions prior to 12.128.2 allows an attacker holding a temporary authenticated session to change the account's registered email address without re-authentication (no password or MFA prompt), then trigger a password reset to attacker-controlled inbox and seize the account. The flaw, reported by VulnCheck and tracked as a missing-authentication weakness (CWE-306), has a vendor patch but no public exploit identified at time of analysis.
Technical ContextAI
Capgo is a self-hostable live-update / OTA platform for Capacitor mobile apps, with its backend implemented as Supabase Edge Functions (TypeScript/Deno) - the patched commit 6685e5f bumps the supabase/functions/_backend/utils/version.ts version constant from 12.128.1 to 12.128.2. The vulnerable code path is the email-change mechanism inside this Supabase-backed auth flow, which accepted a new email address using only the existing session cookie/JWT and did not re-verify the user's password or MFA factor before issuing a verification email to the new address. This is a textbook CWE-306 (Missing Authentication for Critical Function): a security-sensitive identity-changing operation reuses the ambient session instead of requiring step-up authentication, which is the standard control for email/password/MFA changes.
RemediationAI
Vendor-released patch: Capgo 12.128.2 - operators of self-hosted Capgo instances should upgrade to 12.128.2 or later (commit 6685e5f11adef257bf3d085e481f4d8ebcec602e on the Cap-go/capgo repository) as published in advisory GHSA-w56g-jv78-hf79. If an immediate upgrade is not possible, compensating controls include disabling self-service email change in the Supabase Edge Function exposing the change-email endpoint (forcing email changes to go through admin/support), shortening session lifetimes and invalidating sessions on sensitive account changes, and requiring users to re-authenticate (password + MFA where enabled) at the gateway/reverse-proxy layer before reaching the email-change route - the trade-off is degraded self-service UX and additional support load. Operators should also audit recent email-change and password-reset events for anomalies and force-reset credentials on any account that changed email shortly before a password reset.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36496