Description
Cap-go Console < 12.28.2 contains a denial-of-service vulnerability in its account deletion flow that allows an attacker to block authentication and onboarding functions by triggering account deletion while a device identifier is linked to the active session. The platform incorrectly associates the deletion state with the device identifier, causing the affected device or browser environment to be redirected to an account-disabled page for approximately 30 days, preventing any account login or registration from that device.
Published: 2026-06-12
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cap‑Go Console versions before 12.28.2 contain a denial‑of‑service flaw in the account‑deletion routine. When a user triggers account deletion while a device identifier is associated with the active session, the platform applies the deletion flag to that device identifier. This causes the device or browser to be redirected to an account‑disabled page for roughly 30 days, preventing any login or registration from that device. The vulnerability is a mistake in the identification of the authorization state (CWE‑645) and can disrupt users’ ability to authenticate and onboard new accounts.

Affected Systems

All Cap‑Go Console installations running a version older than 12.28.2 are affected. The problem is present in any build of the console that implements the described account‑deletion logic, regardless of deployment environment. No specific minor releases are singled out in the advisory.

Risk and Exploitability

With a CVSS score of 7.1 the flaw poses a high‑impact risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that publicly available exploitation is currently unknown. An attacker would need to be able to initiate the deletion process, which normally requires a valid authenticated session. Thus the attack vector is remote user‑initiated deletion via the web interface or API. If an account is compromised, an attacker could trigger the deletion and deny the user service from that device for about a month until the deletion flag is cleared or a new device identifier is assigned.

Generated by OpenCVE AI on June 13, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cap‑Go Console to version 12.28.2 or newer to apply the vendor fix
  • If an upgrade cannot be performed immediately, avoid performing account deletion while the device identifier remains linked to the session; use a fresh device or browser without an associated identifier for deletion to prevent the deletion state from propagating to the original device
  • Monitor account deletion logs and authentication events for abnormal patterns that might indicate exploitation attempts

Generated by OpenCVE AI on June 13, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 13 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Capgo Console prior to 12.28.2 contains a denial-of-service vulnerability in its account deletion flow that allows an attacker to block authentication and onboarding functions by triggering account deletion while a device identifier is linked to the active session. The platform incorrectly associates the deletion state with the device identifier, causing the affected device or browser environment to be redirected to an account-disabled page for approximately 30 days, preventing any account login or registration from that device. Cap-go Console < 12.28.2 contains a denial-of-service vulnerability in its account deletion flow that allows an attacker to block authentication and onboarding functions by triggering account deletion while a device identifier is linked to the active session. The platform incorrectly associates the deletion state with the device identifier, causing the affected device or browser environment to be redirected to an account-disabled page for approximately 30 days, preventing any account login or registration from that device.
Title Capgo Console < 12.28.2 Account Deletion DoS via Device Identifier Association Cap-go Console < 12.28.2 Account Deletion DoS via Device Identifier Association

Fri, 12 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Cap-go
Cap-go console.capgo.app
Vendors & Products Cap-go
Cap-go console.capgo.app

Fri, 12 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-645

Fri, 12 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Capgo Console prior to 12.28.2 contains a denial-of-service vulnerability in its account deletion flow that allows an attacker to block authentication and onboarding functions by triggering account deletion while a device identifier is linked to the active session. The platform incorrectly associates the deletion state with the device identifier, causing the affected device or browser environment to be redirected to an account-disabled page for approximately 30 days, preventing any account login or registration from that device.
Title Capgo Console < 12.28.2 Account Deletion DoS via Device Identifier Association
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Cap-go Console.capgo.app
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-14T18:04:49.202Z

Reserved: 2026-06-11T16:07:13.000Z

Link: CVE-2026-53982

cve-icon Vulnrichment

Updated: 2026-06-12T20:51:55.530Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T17:16:26.727

Modified: 2026-06-15T20:50:47.973

Link: CVE-2026-53982

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T14:00:09Z

Weaknesses
  • CWE-645

    Overly Restrictive Account Lockout Mechanism