CVE-2026-53868 | THREATINT

Description

Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can permanently lock legitimate users out of the platform for 30 days by exploiting unverified email ownership in account lifecycle operations.

PUBLISHED Reserved 2026-06-10 | Published 2026-06-12 | Updated 2026-06-15 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

Missing Authentication for Critical Function

Product status

Default status

unaffected

Any version before 12.128.2

affected

12.128.2 (semver)

unaffected

Credits

Naitik Gupta reporter

References

github.com/.../capgo/security/advisories/GHSA-3wfv-m8fq-7r5g (GHSA Advisory GHSA-3wfv-m8fq-7r5g) vendor-advisory

www.vulncheck.com/...email-account-registration-and-deletion (VulnCheck Advisory: Capgo < 12.128.2 - Denial of Service via Unverified Email Account Registration and Deletion) third-party-advisory

cve.org (CVE-2026-53868)

nvd.nist.gov (CVE-2026-53868)

Download JSON