CVE-2026-53868
Received Received - Intake
Capgo Account Lockout via Unverified Email Deletion

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: VulnCheck

Description
Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can permanently lock legitimate users out of the platform for 30 days by exploiting unverified email ownership in account lifecycle operations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-53868
EUVD
EUVD-2026-36629
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Capgo versions before 12.128.2 and is a denial of service issue. It allows attackers to register accounts using arbitrary email addresses without verifying ownership of those emails. After registering, attackers can initiate deletion of these accounts, which locks the associated email addresses in a pending deletion state.

By exploiting this flaw, attackers can cause legitimate users to be locked out of the platform for 30 days because their email addresses remain in this pending deletion state, preventing them from accessing or using their accounts.

Impact Analysis

The primary impact of this vulnerability is a denial of service against legitimate users. Attackers can lock users out of their accounts for up to 30 days by exploiting the unverified email ownership process during account lifecycle operations.

This means that users will be unable to access their accounts or use the platform during this period, which could disrupt business operations, user experience, and trust in the platform.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53868. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart