Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible orphaned URLs require prior low-privilege authenticated access to obtain; impact is limited to low confidentiality with no integrity or availability effect.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Capgo before 12.128.2 fails to delete previously uploaded profile images from backend storage when users replace or remove them. Attackers can access orphaned image files through previously generated URLs, allowing unauthorized retrieval of user-uploaded content.
AnalysisAI
Orphaned profile image retention in Capgo before 12.128.2 exposes previously uploaded user images indefinitely after replacement or deletion, because the backend storage object is never purged when the application record is updated. Attackers who possess a prior image URL - obtained via browser history, referrer logs, network interception, or prior caching - can retrieve user-uploaded content even after the user intended to remove it, violating data erasure expectations. No public exploit has been identified at time of analysis, and the CVSS 4.0 vector (PR:L) indicates prior authenticated access or URL knowledge is a prerequisite, limiting opportunistic mass exploitation.
Technical ContextAI
Capgo (CPE: cpe:2.3:a:cap-go:capgo:*:*:*:*:*:*:*:*) is an open-source over-the-air live-update and deployment platform for Capacitor-based mobile applications. The root cause is CWE-459 (Incomplete Cleanup): the application logic updates a user's profile record to reference a new image URL but does not issue a corresponding delete operation against the old object in backend cloud storage (likely Supabase Storage or an S3-compatible bucket). The old storage object persists indefinitely with its original URL remaining valid. The 'Authentication Bypass' tag from VulnCheck suggests the storage layer serves the object without validating an auth token once the URL is known - meaning the URL itself functions as an ambient authority credential, bypassing any application-layer access control after initial issuance.
RemediationAI
Upgrade Capgo to version 12.128.2 or later, which implements proper deletion of backend storage objects when profile images are replaced or removed; the vendor patch and full advisory are at https://github.com/Cap-go/capgo/security/advisories/GHSA-8p92-wcp2-c9j4. For operators unable to immediately upgrade, configure backend object storage bucket lifecycle policies to expire objects after a defined retention period (e.g., 30 days), which reduces the exposure window but does not provide immediate deletion and may be insufficient for GDPR compliance. Restricting the storage bucket from public access and requiring signed, time-limited URLs for all object retrievals would prevent direct access via static URLs - this compensating control requires application-level changes and may impact normal image delivery latency and caching behavior. Operators should additionally run a one-time audit and cleanup script against the storage bucket to purge already-orphaned objects predating the patch. No workaround eliminates the root cause; patching to 12.128.2 is the only complete remediation.
Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tamperin
Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a mal
Account pre-registration hijack in Capgo before 12.128.2 lets a remote unauthenticated attacker claim an account under a
Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering
Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpo
Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing
Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a pat
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_se
Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (
Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindin
Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited
Same weakness CWE-459 – Incomplete Cleanup
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36628
GHSA-g9f3-8379-v2hf