CVE-2026-56286 HIGH

CVE-2026-56286: Capgo - Account Deletion Without Password Confirmation

Vendor Capgo
Product Capgo
Weakness CWE-306 · Missing auth
Published June 30, 2026
Last update July 1, 2026

CVSS base score

7.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that allows deletion without password re-authentication or secondary verification. Attackers can delete user accounts via session hijacking, CSRF attacks, or parameter tampering, resulting in unauthorized account deletion, data loss, and denial-of-service.

Key dates

02Disclosure timeline

June 30, 2026 CVE published
July 1, 2026 Record updated