Capgo Console versions prior to 12.28.2 contain a flaw in the account deletion flow that mis‑associates the deletion state with a device identifier. When an authenticated user triggers account deletion while a device identifier is linked to the active session, the platform marks that device as deleted and redirects it to an account‑disabled page for roughly 30 days. During that period the affected device or browser cannot log in or register a new account, effectively denying the user service. This vulnerability is categorized as a wrong‑identification of authorization state, corresponding to CWE-645.

All users running Cap‑Go Console before version 12.28.2. The vulnerability affects the console component hosted at console.capgo.app and is not tied to a specific minor release but applies to any build older than 12.28.2. Manufacturing or deployment of the console at specific versions is not further detailed in the advisory.

The CVSS score of 7.1 indicates a high impact if exploited. The exploit probability (EPSS) is currently not disclosed, and the vulnerability is not listed in the CISA KEV catalog. An attacker would need ability to trigger the account‑deletion workflow, which typically implies that the attacker has obtained credentials or otherwise can initiate the deletion from a device already linked to the session. The risk therefore is moderate to high for compromised or privileged accounts, as denial of service will be experienced by the affected device for about a month until a new device identifier is assigned or the deletion flag is cleared. The attack vector is inferred to be remote user‑initiated deletion through the web interface or API; no exploitation of external network services is required beyond standard authentication.