CVE-2026-56081 – Cap-go – Account Lockout via 2FA Misconfiguration on Unverified Email

CVE ID :CVE-2026-56081

Published : June 19, 2026, 9:39 p.m. | 2 hours, 3 minutes ago

Description :Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim’s email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account claimed under the victim’s identity, allowing them to read and modify its state and enforce organization-level policies, while the legitimate user is denied access to the account tied to their own email.

Severity: 9.3 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…