VYPR
← All advisories
Medium severity6.5NVD Advisory· Published Jun 12, 2026· Updated Jun 12, 2026

CVE-2026-53982

CVE-2026-53982

Description

Capgo Console prior to 12.28.2 has a denial-of-service where account deletion incorrectly blocks the device from any login or registration for ~30 days.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Capgo Console prior to 12.28.2 has a denial-of-service where account deletion incorrectly blocks the device from any login or registration for ~30 days.

Vulnerability

The bug resides in the account deletion flow of Capgo Console prior to version 12.28.2. When a user deletes their account, the platform associates the deletion state with the device identifier linked to the active session, rather than only with the account. This causes the affected device or browser environment to be redirected to the /accountDisabled page for approximately 30 days, preventing any account login or registration from that device. [1][3]

Exploitation

An attacker with valid credentials can trigger account deletion from a device they control. No special privileges beyond a normal user account are required. After completing the deletion flow, the device identifier becomes locked. Any subsequent attempt to log in with a different account or register a new account from that same device is blocked, as the application redirects to /accountDisabled. [1] The attacker can thus deny service to legitimate users who share that device or browser environment.

Impact

Successful exploitation results in a denial of service for authentication and onboarding functions on the affected device. The device is locked out for approximately 30 days, preventing both login and new account registration. This impacts legitimate users, particularly those on shared or public devices, leading to poor recovery experience and potential service abuse. [1][3]

Mitigation

The vulnerability is fixed in Capgo Console version 12.28.2, as referenced in commit 6685e5f. [2] Users should upgrade to the latest version immediately. If upgrading is not possible, clearing device identifiers or using incognito/private browsing can avoid persistent device locking. The recommended long-term mitigation is to decouple device identity from account deletion and ensure device identifiers are not marked as disabled upon account deletion. [1]

References
  1. Account Deletion Causes Device-Level Access Restriction
  2. chore(release): 12.128.2 · Cap-go/capgo@6685e5f
  3. Capgo Console < 12.28.2 Account Deletion DoS via Device Identifier Association

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
6685e5f11ade

chore(release): 12.128.2

https://github.com/cap-go/capgogithub-actions[bot]May 6, 2026via nvd-ref
commit
2 files changed · +2 2
  • package.json+1 1 modified
    @@ -1,7 +1,7 @@
 {
   "name": "capgo-app",
   "type": "module",
-  "version": "12.128.1",
+  "version": "12.128.2",
   "private": true,
   "workspaces": [
     "cli"
  • supabase/functions/_backend/utils/version.ts+1 1 modified
    @@ -1,3 +1,3 @@
-export const version = '12.128.1'
+export const version = '12.128.2'
 
 // This is automatically generated by the update-version.js script don't edit it manually

Vulnerability mechanics

Root cause

"The backend associates the account's deletion state with the device identifier, causing the device to be blocked from authentication or registration for ~30 days after account deletion."

Attack vector

An authenticated attacker triggers account deletion while a device identifier is linked to the active session. The backend flags that device identifier as disabled, causing any subsequent authentication or registration attempt from the same browser environment to be redirected to `/accountDisabled` for approximately 30 days [ref_id=1]. The attacker needs only low-privilege access and no special network position (AV:N/AC:L/PR:L).

Affected code

The account deletion endpoint and the middleware that checks device-identifier status are at fault. The patch in commit `6685e5f11adef257bf3d085e481f4d8ebcec602e` [patch_id=5724815] modifies the deletion logic to decouple the device identifier from the account's disabled state.

What the fix does

The patch [patch_id=5724815] removes the code that persists the deletion state onto the device identifier, so that deleting an account no longer marks the associated device as disabled. Instead, only session tokens are revoked, and new authentication attempts are allowed to proceed normally from the same device. This closes the denial-of-service vector by ensuring device identity remains neutral after account deletion.

Preconditions

  • authAttacker must be authenticated with a valid account on the Capgo Console instance.
  • inputThe active session must have a device identifier linked to it (stored in LocalStorage, Cookies, or IndexedDB).
  • networkNo special network position is required; the attack is performed over the normal HTTP(S) interface.

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.