PatchSiren cyber security CVE debrief
CVE-2026-53867 Cap-go CVE debrief
CVE-2026-53867 is a medium-severity vulnerability in Capgo, a cloud-based service. The issue arises from Capgo's failure to delete previously uploaded profile images from backend storage when users replace or remove them. This oversight allows attackers to access orphaned image files through previously generated URLs, enabling unauthorized retrieval of user-uploaded content. The vulnerability has a CVSS score of 5.3 and is classified as CWE-459.
- Vendor
- Cap-go
- Product
- capgo
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Capgo, especially those who upload profile images, should be aware of this vulnerability. Additionally, administrators and security teams responsible for Capgo installations should prioritize patching to version 12.128.2 or later.
Technical summary
Capgo before 12.128.2 does not properly clean up previously uploaded profile images when users update or remove them. This results in orphaned files remaining in backend storage. Attackers can exploit this by accessing these files through their previously generated URLs, allowing unauthorized access to user-uploaded content.
Defensive priority
Medium
Recommended defensive actions
- Update Capgo to version 12.128.2 or later to ensure proper deletion of orphaned profile images.
- Review and clean up any existing orphaned files in backend storage.
- Monitor for any unauthorized access to profile images.
Evidence notes
The CVE record and details are based on information from [cve-org] and [nvd]. Additional context is provided by [ref-4] and [ref-5].
Official resources
CVE-2026-53867 was published and modified on 2026-06-12T22:16:56.007Z.