Description
Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that allows deletion without password re-authentication or secondary verification. Attackers can delete user accounts via session hijacking, CSRF attacks, or parameter tampering, resulting in unauthorized account deletion, data loss, and denial-of-service.
Published: 2026-06-30
Score: 7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo before version 12.128.2 contains an authentication bypass in the account deletion endpoint. The vulnerability allows an attacker to delete a user’s account without re-entering the password or providing any secondary verification. Users are vulnerable to account removal which results in loss of data, access to services and can lead to a denial‑of‑service condition for the entire application.

Affected Systems

Vulnerable installations are any Capgo deployments running a version earlier than 12.128.2. The effect is limited to the account that is actively logged in or whose session cookie is hijacked.

Risk and Exploitability

The CVSS score of 7 indicates that the problem is a serious risk. Because the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the exact likelihood of exploitation is not quantified, but the potential attack vectors – session hijacking, CSRF, or parameter tampering – make exploit practical for an attacker who gains a session or crafts a malicious request. Successful exploitation results in permanent deletion of the user’s account, resulting in loss of data and non‑availability of the service to that user.

Generated by OpenCVE AI on June 30, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later to apply the vendor patch that restores password verification for account deletion.
  • If an upgrade cannot be performed immediately, add a temporary backend guard that requires the user to provide their current password (or another form of re‑authentication) before the deletion operation is processed.
  • Implement or enforce CSRF protection for the deletion endpoint and tighten session cookie settings (HttpOnly, Secure, SameSite) to reduce the feasibility of session‑based attacks.

Generated by OpenCVE AI on June 30, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that allows deletion without password re-authentication or secondary verification. Attackers can delete user accounts via session hijacking, CSRF attacks, or parameter tampering, resulting in unauthorized account deletion, data loss, and denial-of-service.
Title Capgo - Account Deletion Without Password Confirmation
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T22:08:28.619Z

Reserved: 2026-06-20T01:51:24.919Z

Link: CVE-2026-56286

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T23:30:04Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function