Skip to content

Bussiness Level DOS -> Account Pre-Registration and Deletion Leads to Permanent User Lockout

Critical
riderx published GHSA-3wfv-m8fq-7r5g May 7, 2026

Package

console.capgo.app

Affected versions

12.110.2

Patched versions

12.128.2

Description

Summary

The application allows an attacker to register an account using any arbitrary email address without requiring email verification. The account remains in an unverified state, yet the system still:

  • Reserves the email as a unique identifier
  • Allows access to account settings
  • Permits account deletion
  • Places the account into a 30-day pending deletion state

An attacker can therefore:

  1. Register an account using a victim’s email address.
  2. Initiate the account deletion process.
  3. Cause the victim’s email address to become locked in a “pending deletion” state for 30 days.

During this period:

  • The legitimate email owner cannot register a new account because the system reports “User Already Exists”.
  • If the victim attempts password reset and login, they are redirected to an accountDisabled page.
  • The victim must contact support to restore access.

This results in a Denial of Service against the legitimate email owner by abusing the account lifecycle logic.
The root cause is that email ownership is not verified before allowing sensitive lifecycle actions such as account deletion and identity reservation.

Impact

  • Any attacker can lock any email address out of the platform.
  • The attacker does not need to control or verify the email address.
  • The legitimate user cannot:
  • Register a new account
  • Use password reset to regain normal access
  • Access dashboard functionality
  • The lock persists for 30 days unless manually restored.
    This constitutes an account lifecycle Denial of Service vulnerability.

If automated, an attacker could:

  • Mass lock user emails
  • Target specific individuals
  • Disrupt onboarding of new customers

Business Impact:

  • Prevents legitimate users from onboarding.
  • Causes customer frustration and churn.
  • Increases support workload due to manual restoration requests.
  • Damages platform trust and reliability.
  • Potential competitive abuse (locking business accounts intentionally).
  • Operational disruption if targeted at enterprise users.
    For SaaS platforms, this directly affects revenue, user acquisition, and brand reputation.

Severity

Critical

CVE ID

No known CVE

Weaknesses

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Learn more on MITRE.

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. Learn more on MITRE.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action. Learn more on MITRE.

Credits