Cappo Critical Auth Logic Flaw: 2FA Misconfiguration Leads to Account Lockout

Vulnerability Overview Title: Critical Vulnerability: 2FA Misconfiguration Leads to Victim Lockout Description: Vulnerability Report: 2FA Misconfiguration Leading to Permanent Victim Lockout Reporter: Penetest Severity: Critical Category: Authentication Logic Flaw / 2FA Misconfiguration / Account Lockout Summary: A critical authentication logic flaw allows an attacker to enable and configure Two-Factor Authentication (2FA) without verifying ownership of the victim's email address. Since email verification is not enforced during registration, the attacker can register with any arbitrary email address, access the dashboard, and enable 2FA as well as organization-level 2FA policies. Once configured, the legitimate email owner is permanently locked out of the account. This results in pre-account takeover, ultimately leading to permanent access denial for the genuine user. Scope Software: https://console.cappo.app/settings/account Affected Versions: < 12.128.2 Fixed Version: 12.128.2 Severity: Critical CVE ID: No known CVE Weaknesses: No CWEs Impact: Permanent Account Lockout: Legitimate users lose access to their own email-based accounts. Pre-Account Takeover: Attackers claim the account before the real user. Denial of Service: The victim is unable to use the platform. 2FA Abuse: Security controls are weaponized as an attack vector. Repeatable Attack: Can be executed across multiple email addresses. Business Impact: Disrupted User Onboarding: New users may be unable to register. Erosion of User Trust: Users lose confidence in account security. Increased Support Overhead: Surge in account recovery requests. Compliance Risk: Weak authentication processes. Brand Reputation Damage: Perceived as having insecure authentication design. Remediation CVSS v3.1 (Recommended): Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Score: 9.1 — Critical Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Root Cause (Potential): No email verification before account activation. 2FA is allowed to be enabled on unverified accounts. Organization 2FA policies can be enforced without authentication. The backend does not confirm email ownership before enabling security controls. Recommended Remediation: Enforce mandatory email verification prior to dashboard access. Block 2FA setup until the email address is verified. Prevent policy enforcement from unverified accounts. Add email ownership validation before enabling security features. Notify users of any changes to security settings. Implement safeguards to prevent pre-account takeover. Conclusion: This 2FA misconfiguration allows attackers to weaponize security features, permanently locking out legitimate users and resulting in service denial and pre-account takeover risks. Immediate enforcement of email verification and secure authentication processes is required. Reporter: Penetest POC Code

Goal Reached Thanks to every supporter — we hit 100%!

Cappo Critical Auth Logic Flaw: 2FA Misconfiguration Leads to Account Lockout

More from this source