How is CVE-2026-53868 exploited?

Network reachability (required): The vulnerable registration and deletion endpoints are exposed over the network, so the attacker must be able to reach the service via a standard network connection. Authentication (not-required): No account or credentials are needed; the attack abuses the public account registration flow before any authentication occurs. Victim interaction (not-required): The attacker operates entirely through API calls and does not require the targeted user to click a link, open a file, or take any action. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are needed to lock an email address.

What is the impact of CVE-2026-53868?

An attacker locks any chosen email address out of the Capgo platform for a 30-day pending-deletion hold, preventing the legitimate owner from registering or recovering access during that window. Legitimate users whose email is targeted lose access to Capgo-managed live-update deployments for the duration of the hold, disrupting their ability to ship or roll back app updates. The attack is repeatable against any number of email addresses with no per-attempt cost, allowing broad-scope disruption of user accounts across an organization.

Back to search

HIGHCVE-2026-53868Published 2026-06-12Modified 2026-06-12CNA VulnCheck

CVE-2026-53868: Capgo < 12.128.2 - Denial of Service via Unverified Email Account Registration and Deletion

Q: What is CVE-2026-53868?

This is a denial-of-service vulnerability in Capgo, the open-source live-update platform, affecting all versions before 12.128.2. An unauthenticated attacker can reach the registration and deletion API endpoints over the network with no credentials, register an account using any arbitrary email address without verifying ownership, and then trigger account deletion to lock that email in a pending-deletion state for 30 days. Successful exploitation permanently blocks the legitimate owner of that email address from accessing or creating a Capgo account for the duration of that hold period. A patched-image rebuild at version 12.128.2 is available on HarborGuard for affected environments.

Q: How is CVE-2026-53868 fixed?

A patched-image rebuild at Capgo 12.128.2 is available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can permanently lock legitimate users out of the platform for 30 days by exploiting unverified email ownership in account lifecycle operations.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 12.128.2
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in Capgo, the open-source live-update platform, affecting all versions before 12.128.2. An unauthenticated attacker can reach the registration and deletion API endpoints over the network with no credentials, register an account using any arbitrary email address without verifying ownership, and then trigger account deletion to lock that email in a pending-deletion state for 30 days. Successful exploitation permanently blocks the legitimate owner of that email address from accessing or creating a Capgo account for the duration of that hold period. A patched-image rebuild at version 12.128.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-53868 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images containing Capgo, in both registry scans and active CI/CD pipeline checks.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 rating of 8.7 (HIGH) and weighting that score against each environment's compliance policy. Findings are routed to the appropriate team inbox within each customer organization based on policy-defined severity thresholds and ownership rules.

Available

Patch

A patched-image rebuild at Capgo 12.128.2 is available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable registration and deletion endpoints are exposed over the network, so the attacker must be able to reach the service via a standard network connection.
AuthenticationNot required
No account or credentials are needed; the attack abuses the public account registration flow before any authentication occurs.
Victim interactionNot required
The attacker operates entirely through API calls and does not require the targeted user to click a link, open a file, or take any action.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are needed to lock an email address.

Blast Radius

An attacker locks any chosen email address out of the Capgo platform for a 30-day pending-deletion hold, preventing the legitimate owner from registering or recovering access during that window.
Legitimate users whose email is targeted lose access to Capgo-managed live-update deployments for the duration of the hold, disrupting their ability to ship or roll back app updates.
The attack is repeatable against any number of email addresses with no per-attempt cost, allowing broad-scope disruption of user accounts across an organization.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-53868 is active for any image containing Capgo below version 12.128.2, with findings surfaced in the registry scan and pipeline check views. A patched-image rebuild at version 12.128.2 is available for affected environments. For customers who opt into auto-remediation, HarborGuard targets a rebuild, regression run, and merged patch PR for HIGH-severity issues typically within around 90 minutes of CVE publication. Where compliance policy does not permit auto-remediation, the finding is queued for manual review with the CVSS 8.7 score and full fix-version detail attached. HarborGuard re-checks the advisory each ingest cycle to capture any subsequent patch revisions.

See how HarborGuard automates this

Fix available

12.128.2

Affected packages

Capgo / Capgo
< 12.128.2 (from 0)
Fixed in 12.128.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available