CVE-2026-56286
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk27th percentile — higher than 27% of all known CVEs
Summary
An authentication bypass vulnerability in Capgo before version 12.128.2 allows account deletion without password re-authentication or secondary verification. Attackers can delete user accounts via session hijacking, CSRF attacks, or parameter tampering, leading to unauthorized account deletion, data loss, and denial-of-service.
Risk Assessment
The risk includes unauthorized deletion of user accounts, potentially causing permanent data loss and service disruption for victims. Attackers can easily perform the attack without knowing the victim's password.
Recommendation
Immediately upgrade Capgo to version 12.128.2 or later. Additionally, enforce mandatory password re-authentication and CSRF protections for sensitive operations.
Original NVD description (English source)
Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that allows deletion without password re-authentication or secondary verification. Attackers can delete user accounts via session hijacking, CSRF attacks, or parameter tampering, resulting in unauthorized account deletion, data loss, and denial-of-service.

