Description
Capgo before 12.128.2 fails to delete previously uploaded profile images from backend storage when users replace or remove them. Attackers can access orphaned image files through previously generated URLs, allowing unauthorized retrieval of user-uploaded content.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo version 12.128.1 and earlier fail to delete previously uploaded profile images from backend storage when users replace or remove them, leaving orphaned files accessible via known URLs. An attacker who can trigger the replacement or removal of a user's profile image can subsequently retrieve the orphans, exposing user‑uploaded content that should no longer be accessible. This flaw is a clear example of CWE‑459, where outdated old data remains available after a service no longer needs it, leading to unintended data disclosure.

Affected Systems

The vulnerability affects all installations of Capgo that run a version earlier than 12.128.2, regardless of the deployment environment. The product in question is the Cap‑go open‑source project, typically deployed behind authentication to manage user profiles.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity; the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an authenticated user or attacker who can upload, replace, or delete profile images—common operations in a typical system using Capgo. Once an orphaned file remains, the attacker may simply use the preserved URL to download the content without requiring further privileges. Because the flaw is a data‑lifetime oversight rather than an injection or privilege‑escalation bug, the exploitation does not require special infrastructure, but it does rely on being able to perform normal user actions.

Generated by OpenCVE AI on June 12, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later
  • If an upgrade is not immediately possible, disable profile image upload or deletion features to prevent orphan creation
  • Implement a periodic cleanup script that scans the storage bucket for images no longer referenced by any active profile and removes them

Generated by OpenCVE AI on June 12, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 13 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Cap-go
Cap-go cap-go
Vendors & Products Cap-go
Cap-go cap-go

Fri, 12 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 fails to delete previously uploaded profile images from backend storage when users replace or remove them. Attackers can access orphaned image files through previously generated URLs, allowing unauthorized retrieval of user-uploaded content.
Title Capgo < 12.128.2 - Orphaned File Retention via Profile Image Replacement
Weaknesses CWE-459
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-16T17:34:45.404Z

Reserved: 2026-06-10T21:23:54.283Z

Link: CVE-2026-53867

cve-icon Vulnrichment

Updated: 2026-06-15T16:52:46.237Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T22:16:56.007

Modified: 2026-06-15T20:50:47.973

Link: CVE-2026-53867

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T12:29:50Z

Weaknesses