CVE-2026-53982
CVE-2026-53982 is a medium-severity vulnerability with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-645.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- CVSS v4: 7.1
- EPSS exploit prediction: 0% (25th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-36505
- Weakness: CWE-645
- Published:
- Last modified:
Description
Cap-go Console < 12.28.2 contains a denial-of-service vulnerability in its account deletion flow that allows an attacker to block authentication and onboarding functions by triggering account deletion while a device identifier is linked to the active session. The platform incorrectly associates the deletion state with the device identifier, causing the affected device or browser environment to be redirected to an account-disabled page for approximately 30 days, preventing any account login or registration from that device.
Frequently asked questions
- What is CVE-2026-53982?
- Cap-go Console < 12.28.2 contains a denial-of-service vulnerability in its account deletion flow that allows an attacker to block authentication and onboarding functions by triggering account deletion while a device identifier is linked to the active session. The platform incorrectly associates the deletion state with the device identifier, causing the affected device or browser environment to be redirected to an account-disabled page for approximately 30 days, preventing any account login or registration from that device.
- How severe is CVE-2026-53982?
- CVE-2026-53982 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2026-53982 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (25th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-53982?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-53982 have an EU (EUVD) identifier?
- Yes. CVE-2026-53982 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-36505.
- When was CVE-2026-53982 published?
- CVE-2026-53982 was published on 2026-06-12 and last updated on 2026-06-17.
References
- https://github.com/Cap-go/capgo/commit/6685e5f11adef257bf3d085e481f4d8ebcec602e
- https://github.com/Cap-go/capgo/security/advisories/GHSA-qmrm-qgwr-55jf
- https://www.vulncheck.com/advisories/capgo-console-account-deletion-dos-via-device-identifier-association
Other CWE-645 vulnerabilities
- CVE-2023-4346 — High (CVSS 7.5): KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable…
- CVE-2025-31947 — Medium (CVSS 5.8): Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to lockout LDAP users…
- CVE-2026-25907 — Medium (CVSS 5.3): Dell PowerScale OneFS, version 9.13.0.0, contains an overly restrictive account lockout mechanism vulnerability. An…
- CVE-2025-5241 — Medium (CVSS 5.3): Overly Restrictive Account Lockout Mechanism vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series allows…
- CVE-2024-1722 — Low (CVSS 3.7): A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block…