CVE-2026-53868
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Summary
Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can permanently lock legitimate users out of the platform for 30 days by exploiting unverified email ownership in account lifecycle operations.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Capgo | Capgo | 0 < 12.128.2 | affected |
| Capgo | Capgo | 12.128.2 | unaffected |
Weaknesses
- CWE-306: Missing Authentication for Critical Function
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/Cap-go/capgo/security/advisories/GHSA-3wfv-m8fq-7r5g
- https://www.vulncheck.com/advisories/capgo-denial-of-service-via-unverified-email-account-registration-and-deletion
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.