Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cookie or authenticated browser can change the account email to gain control of account recovery and bypass multi-factor authentication protections.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-56308 affects Capgo versions before 12.128.2 and represents a critical account takeover vulnerability stemming from insufficient re-authentication controls. The vulnerability allows attackers with an active session cookie or authenticated browser access to change an account's email address without requiring password confirmation or verification of the current email. This is particularly dangerous because email addresses serve as the primary recovery mechanism for account access and password resets—changing it effectively locks the legitimate owner out while granting the attacker persistent control. Any organization using Capgo for application updates or configuration management exposes user accounts to unauthorized access, credential compromise, and potential lateral movement within connected systems.
While this vulnerability doesn't map directly to a specific MITRE ATT&CK technique, Casky's security skills would detect attack patterns associated with account manipulation and session exploitation by analyzing authentication logs for suspicious email modification requests, session anomalies, and account recovery attempts. Practitioners using Casky's Claude AI-powered analysis would identify indicators such as email change requests originating from unexpected geographic locations, multiple failed recovery attempts after legitimate email changes, or session tokens being leveraged for account modifications without corresponding password verification events. The extended reasoning capability would correlate these signals to surface the underlying authentication weakness—specifically the absence of step-up authentication (CWE-640: Weak or Missing Password Requirements) and help practitioners prioritize remediation to mandate password re-confirmation and email verification workflows before any email address modifications are processed.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-56308. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation