Home

Description

Capgo Console prior to 12.28.2 contains a denial-of-service vulnerability in its account deletion flow that allows an attacker to block authentication and onboarding functions by triggering account deletion while a device identifier is linked to the active session. The platform incorrectly associates the deletion state with the device identifier, causing the affected device or browser environment to be redirected to an account-disabled page for approximately 30 days, preventing any account login or registration from that device.

PUBLISHED Reserved 2026-06-11 | Published 2026-06-12 | Updated 2026-06-12 | Assigner VulnCheck




HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-284 Improper Access Control

Product status

Default status
affected

Any version before 12.128.2
affected

6685e5f11adef257bf3d085e481f4d8ebcec602e (git)
unaffected

Credits

Naitik Gupta finder

References

github.com/.../capgo/security/advisories/GHSA-qmrm-qgwr-55jf vendor-advisory

github.com/...ommit/6685e5f11adef257bf3d085e481f4d8ebcec602e patch

www.vulncheck.com/...n-dos-via-device-identifier-association third-party-advisory

cve.org (CVE-2026-53982)

nvd.nist.gov (CVE-2026-53982)

Download JSON