External risk intelligence

Cap-go OTP Bypass via Response Manipulation

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-56073

The vulnerability affects an authentication mechanism (email verification/OTP) for a web-based service. Such services are commonly exposed to the internet to facilitate user registration and account management, making this a frequent component of public-facing web applications.

Authentication Bypass

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory describes a critical vulnerability in the Cap-go platform that could allow unauthorized access to user accounts. The issue involves bypassing email verification, potentially enabling account takeover. While the exact business impact requires further assessment, the nature of the vulnerability highlights the importance of secure authentication processes.

Bypass email verification for account access.
Authentication bypass can lead to account takeover.
Confirm relevance and exposure to business operations.

Attack Path

How an attacker could exploit the issue

An attacker could bypass the email verification process by intercepting and altering the server's response to OTP verification requests. This manipulation tricks the system into thinking the verification was successful, even without a valid OTP. This could allow an attacker to enable two-factor authentication for an account they do not own and subsequently take over the account.

No special access needed.
Intercept and modify server responses.
Unauthorized account takeover.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to bypass email verification by intercepting and modifying server responses during OTP verification. This could lead to unauthorized enablement of two-factor authentication and potential account takeover when supported by the advisory.

Account takeover.
Manipulating server responses.
Unauthorized 2FA enablement.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Cap-go's OTP verification impacts systems that use it for email verification, potentially allowing unauthorized 2FA enablement and account takeover. Ownership likely falls to the application owner responsible for the Cap-go deployment and its associated user accounts. The first practical step is to identify all instances of Cap-go, confirm their exposure and criticality, and then engage the appropriate teams for remediation planning.

Application owners must own the issue.
Verify OTP verification reachability and criticality.
Plan remediation or implement temporary risk reduction.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Cap-go software?

Cap-go is a platform used to manage application deployments and updates, providing essential backend services like user authentication and account management. It acts as a delivery system for software packages, and its features—such as email verification—are foundational for securing access to these environments.

How does the CVE-2026-56073 authentication bypass work?

This vulnerability, classified as CWE-345 (Insufficient Verification of Data Authenticity), occurs when the system fails to properly validate the integrity of server responses. An attacker can intercept the network traffic during the OTP verification process and modify the HTTP response. Because the system blindly trusts this manipulated data, it incorrectly registers the verification as successful, granting access without a valid one-time password.

Do I need special access to trigger this vulnerability?

No. The vulnerability does not require special administrative privileges, credentials, or prior access to the system. It is triggered solely by intercepting and altering the specific HTTP traffic generated during the OTP exchange. It cannot be triggered if the verification process is not initiated or if the server response remains unaltered and correctly validated by the intended client.

Is my Cap-go instance at risk?

According to Halo Surface Signal, this vulnerability is considered a likely risk if your Cap-go instance is exposed to the internet. Because the affected email verification and OTP mechanisms are standard components for web-based services that manage user registration, any instance reachable from the public network is a potential target for this bypass.

What should I do if I am running Cap-go?

The first step is to locate all deployments of Cap-go within your environment. Once identified, confirm which instances are internet-facing and verify their current version to check if they are older than 12.128.2. Engage your development or application security teams to review the authentication flow and prioritize remediation efforts to secure the verification process.

References

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.