CVE-2026-53981 HIGH

CVE-2026-53981: Cap-go < v12.128.2 Account Takeover via Unauthenticated Email Change Mechanism

Vendor Cap-Go
Product Cap-go
Weakness CWE-306 · Missing auth
Published June 12, 2026
Last update June 12, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication such as password or MFA verification. Attackers can redirect verification to an attacker-controlled email address and subsequently perform a password reset to permanently take over the victim's account.

Key dates

02Disclosure timeline

June 12, 2026 CVE published
June 12, 2026 Record updated