How is CVE-2026-53982 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network; an attacker must be able to reach the Cap-go Console service via a standard HTTP/HTTPS connection. Authentication (required): A low-privilege account is sufficient; the attacker must hold a valid session to initiate the account deletion flow that triggers the vulnerability. Victim interaction (not-required): No victim interaction is needed; the attacker can trigger the deletion state entirely through their own authenticated session. Attack complexity (info): Attack complexity is low; the exploit requires no special conditions, race windows, or environmental factors and can be executed reliably on any affected instance.

What is the impact of CVE-2026-53982?

The affected device or browser environment is redirected to an account-disabled page for approximately 30 days, blocking all login attempts from that device. Any new account registration attempt from the affected device identifier is also denied for the same 30-day window, disrupting onboarding flows. Availability of authentication and account creation functions is fully eliminated for the targeted device, with no user-side workaround short of switching to an unaffected device or environment.

Back to search

HIGHCVE-2026-53982Published 2026-06-12Modified 2026-06-14CNA VulnCheck

CVE-2026-53982: Cap-go Console < 12.28.2 Account Deletion DoS via Device Identifier Association

Q: What is CVE-2026-53982?

This is a denial-of-service vulnerability in the account deletion flow of Cap-go Console versions before 12.28.2. An authenticated attacker can trigger account deletion while a device identifier is linked to an active session, causing the platform to incorrectly associate the deletion state with that device identifier. The affected device or browser environment is then blocked from any login or account registration for approximately 30 days. A patched-image rebuild at version 12.28.2 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-53982 fixed?

A patched-image rebuild at Cap-go Console 12.28.2 (commit 6685e5f11adef257bf3d085e481f4d8ebcec602e) becomes available on HarborGuard for any environment running an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Cap-go Console < 12.28.2 contains a denial-of-service vulnerability in its account deletion flow that allows an attacker to block authentication and onboarding functions by triggering account deletion while a device identifier is linked to the active session. The platform incorrectly associates the deletion state with the device identifier, causing the affected device or browser environment to be redirected to an account-disabled page for approximately 30 days, preventing any account login or registration from that device.

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: 12.28.2
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in the account deletion flow of Cap-go Console versions before 12.28.2. An authenticated attacker can trigger account deletion while a device identifier is linked to an active session, causing the platform to incorrectly associate the deletion state with that device identifier. The affected device or browser environment is then blocked from any login or account registration for approximately 30 days. A patched-image rebuild at version 12.28.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-53982 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images derived from Cap-go Console base layers.

Available

Triage

HarborGuard scores this finding at CVSS 7.1 HIGH using the published v4.0 vector and weights it against each environment's compliance policy before routing the alert to the appropriate team inbox within the customer org.

Available

Patch

A patched-image rebuild at Cap-go Console 12.28.2 (commit 6685e5f11adef257bf3d085e481f4d8ebcec602e) becomes available on HarborGuard for any environment running an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to reach the Cap-go Console service via a standard HTTP/HTTPS connection.
AuthenticationRequired
A low-privilege account is sufficient; the attacker must hold a valid session to initiate the account deletion flow that triggers the vulnerability.
Victim interactionNot required
No victim interaction is needed; the attacker can trigger the deletion state entirely through their own authenticated session.
Attack complexityDetail
Attack complexity is low; the exploit requires no special conditions, race windows, or environmental factors and can be executed reliably on any affected instance.

Blast Radius

The affected device or browser environment is redirected to an account-disabled page for approximately 30 days, blocking all login attempts from that device.
Any new account registration attempt from the affected device identifier is also denied for the same 30-day window, disrupting onboarding flows.
Availability of authentication and account creation functions is fully eliminated for the targeted device, with no user-side workaround short of switching to an unaffected device or environment.

How HarborGuard Handles This

Available on HarborGuard: any image derived from Cap-go Console versions before 12.28.2 is flagged as affected upon ingestion, with results surfaced in the registry scan view and pipeline gate checks. For customers with auto-remediation enabled, HarborGuard rebuilds the image at version 12.28.2, runs a regression test pass, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with CVSS scoring and remediation context attached. Customers who cannot immediately redeploy should consider network-policy controls that restrict which principals can initiate account deletion requests, reducing the pool of accounts able to trigger the vulnerable flow until the patched image is deployed.

See how HarborGuard automates this

Fix available

12.28.26685e5f11adef257bf3d085e481f4d8ebcec602e

Patch commits

github.com

Affected packages

Cap-go / capgo
< 12.28.2 (from 0)
Fixed in 6685e5f11adef257bf3d085e481f4d8ebcec602e

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available