Impact
Cap‑Go Console versions before 12.28.2 contain a denial‑of‑service flaw in the account‑deletion routine. When a user triggers account deletion while a device identifier is associated with the active session, the platform applies the deletion flag to that device identifier. This causes the device or browser to be redirected to an account‑disabled page for roughly 30 days, preventing any login or registration from that device. The vulnerability is a mistake in the identification of the authorization state (CWE‑645) and can disrupt users’ ability to authenticate and onboard new accounts.
Affected Systems
All Cap‑Go Console installations running a version older than 12.28.2 are affected. The problem is present in any build of the console that implements the described account‑deletion logic, regardless of deployment environment. No specific minor releases are singled out in the advisory.
Risk and Exploitability
With a CVSS score of 7.1 the flaw poses a high‑impact risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that publicly available exploitation is currently unknown. An attacker would need to be able to initiate the deletion process, which normally requires a valid authenticated session. Thus the attack vector is remote user‑initiated deletion via the web interface or API. If an account is compromised, an attacker could trigger the deletion and deny the user service from that device for about a month until the deletion flag is cleared or a new device identifier is assigned.
OpenCVE Enrichment