Description
Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can permanently lock legitimate users out of the platform for 30 days by exploiting unverified email ownership in account lifecycle operations.
Published: 2026-06-12
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo before version 12.128.2 allows attackers to create accounts using arbitrary email addresses that are not verified, and then to delete them, leaving the email locked in a pending deletion state. This process can be repeated to lock valid users out of the platform for 30 days, effectively denying them access. The weakness is a mismanagement of user ownership verification, corresponding to CWE-306. The impact is a prolonged, service‑disruption scenario that affects user availability without compromising data confidentiality or integrity.

Affected Systems

All installations of Capgo with a release prior to 12.128.2 are vulnerable. No granular version information was supplied, so any deployment that has not upgraded to at least 12.128.2 remains at risk.

Risk and Exploitability

The CVSS score of 8.7 indicates a high‑severity vulnerability. No EPSS score is available, but the lack of require verification and the ability to force a pending deletion state suggest a high likelihood of exploitation. The attack vector is likely through the public registration and deletion APIs; an attacker needs only to supply an arbitrary email address and can carry out the attack from any reachable location. The vulnerability is not listed in the CISA KEV catalog, but the potential for a sustained denial of service makes it a priority for remediation.

Generated by OpenCVE AI on June 12, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later to apply the vendor fix
  • Immediately block or limit new account registrations until the email verification process is enforced
  • Remove any accounts currently in a pending deletion state through the administrative interface or API and enforce a cooldown period for email reuse

Generated by OpenCVE AI on June 12, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can permanently lock legitimate users out of the platform for 30 days by exploiting unverified email ownership in account lifecycle operations.
Title Capgo < 12.128.2 - Denial of Service via Unverified Email Account Registration and Deletion
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-12T21:57:03.338Z

Reserved: 2026-06-10T21:23:54.283Z

Link: CVE-2026-53868

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T22:16:56.153

Modified: 2026-06-12T22:16:56.153

Link: CVE-2026-53868

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T23:45:26Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function