CVE-2026-56338

Sažetak

Capgo before 12.128.2 contains a denial of service vulnerability in the /auth/v1/otp endpoint that prevents email verification for two-factor authentication due to captcha validation failures. Authenticated users cannot complete 2FA enrollment as the backend consistently returns HTTP 500 errors with captcha verification process failed messages, blocking access to security controls.

Reference

https://github.com/Cap-go/capgo/security/advisories/GHSA-m53g-7gcj-x6f7
https://www.vulncheck.com/advisories/capgo-denial-of-service-in-2fa-email-verification-via-auth-v1-otp-endpoint
https://github.com/Cap-go/capgo/security/advisories/GHSA-m53g-7gcj-x6f7

CVSS

Base:	5.3
Impact:	1.4
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	NONE	LOW

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Zadnje važnije ažuriranje

25-06-2026 - 14:03

Objavljeno

24-06-2026 - 13:16