CVE-2026-53868

Vulnerability

Capgo versions before 12.128.2 contain a denial of service vulnerability where the application does not require email verification before allowing sensitive account lifecycle actions. An attacker can register an account using any arbitrary email address without verifying ownership. The system reserves the email as a unique identifier and permits account deletion, placing the account into a 30-day pending deletion state. This locks the email address, preventing the legitimate owner from registering or accessing the platform [1][2].

Exploitation

An attacker with network access and no authentication can exploit this by registering an account with a victim's email address (no verification needed) and then initiating account deletion. The attacker does not need to control the email inbox. The victim's email becomes locked in a pending deletion state for 30 days [1].

Impact

During the 30-day lockout, the legitimate email owner cannot register a new account (system reports "User Already Exists"), cannot use password reset to regain normal access, and is redirected to an account-disabled page. The victim must contact support to restore access. This constitutes a denial of service against the legitimate user, with potential for mass lockouts and business disruption [1][2].

Mitigation

The vulnerability is fixed in Capgo version 12.128.2. Users should upgrade to this version or later. No workaround is documented; affected users must contact support to manually restore locked accounts [1][2].