Description

Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that allows deletion without password re-authentication or secondary verification. Attackers can delete user accounts via session hijacking, CSRF attacks, or parameter tampering, resulting in unauthorized account deletion, data loss, and denial-of-service.

Severity (CVSS)

Base score7
SeverityHigh
VersionCVSS 4.0
VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
Provided byCNA

Weaknesses

  • CWE-306 — Missing Authentication for Critical Function

Affected products

VendorProductVersions
CapgoCapgo0 to <12.128.2; 12.128.2

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 01 Jul 2026 07:05 UTC.