Skip to main content

Capgo Console EUVDEUVD-2026-36505

| CVE-2026-53982 HIGH
Improper Access Control (CWE-284)
2026-06-12 VulnCheck
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Reachable over the network against console.capgo.app with low complexity; attacker needs an authenticated Capgo session (PR:L); no user interaction; impact is availability-only (auth/onboarding lockout) with no confidentiality or integrity loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 12, 2026 - 17:32 vuln.today
Analysis Generated
Jun 12, 2026 - 17:32 vuln.today

DescriptionCVE.org

Capgo Console prior to 12.28.2 contains a denial-of-service vulnerability in its account deletion flow that allows an attacker to block authentication and onboarding functions by triggering account deletion while a device identifier is linked to the active session. The platform incorrectly associates the deletion state with the device identifier, causing the affected device or browser environment to be redirected to an account-disabled page for approximately 30 days, preventing any account login or registration from that device.

AnalysisAI

Denial of service in Capgo Console versions prior to 12.28.2 allows an authenticated attacker to lock legitimate users out of authentication and onboarding flows by triggering account deletion while a device identifier is bound to the active session. The platform incorrectly persists the deletion state against the device identifier rather than the account, causing the affected browser or device to be redirected to an account-disabled page for roughly 30 days. No public exploit identified at time of analysis, but a vendor patch and GHSA advisory (GHSA-qmrm-qgwr-55jf) have been published following disclosure by VulnCheck.

Technical ContextAI

Capgo Console is the web management interface for Capgo, an open-source live-update and over-the-air deployment service for Capacitor mobile apps, hosted at console.capgo.app and backed by Supabase Edge Functions (the patched file lives under supabase/functions/_backend/utils). The root cause is classified as CWE-284 (Improper Access Control): the account-deletion handler associates the disabled-account state with a client-side device or browser identifier instead of strictly scoping it to the deleted user account. Because the identifier persists across sessions and across users sharing the same device or browser, the same identifier subsequently matches new login or registration attempts and triggers the disabled-account redirect for approximately 30 days, denying availability of the authentication and onboarding endpoints from that device.

RemediationAI

Vendor-released patch: upgrade Capgo Console to 12.128.2 (advisory references 12.28.2 but the patch commit 6685e5f confirms 12.128.2 as the fixed release) per GHSA-qmrm-qgwr-55jf at https://github.com/Cap-go/capgo/security/advisories/GHSA-qmrm-qgwr-55jf. For self-hosted deployments, deploy the updated supabase/functions/_backend/utils/version.ts and corresponding edge-function code from commit 6685e5f. Until the upgrade is applied, compensating controls are limited because the disabled state is keyed off a client identifier the user controls: affected users can usually recover by clearing browser storage and cookies for console.capgo.app or switching browsers/devices, and administrators can warn customers not to share devices or browsers with untrusted accounts; there is no clean server-side workaround that does not require code changes, so prioritising the upgrade is the correct action.

Share

EUVD-2026-36505 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy