Description
Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses, which the SSO provisioning endpoint trusts as an account-merge key. Attackers can pre-position their account with a victim's corporate SSO email, causing the provision-user endpoint to merge the victim's SSO identity into the attacker-controlled account.
Published: 2026-06-20
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo version 12.128.12 or earlier permits authenticated users to change their mutable public.users.email field to any address. The SSO provisioning endpoint treats this email as a key for merging accounts. An attacker can pre‑set their own account with a victim’s corporate SSO email and then trigger the provision‑user flow, causing the victim’s SSO identity to be merged into the attacker-controlled account. This results in unauthorized access to the victim’s resources and possible privilege escalation. The weakness is identified as CWE‑639, the misuse of user supplied input for authorization decisions.

Affected Systems

All installations of Capgo with a release prior to 12.128.12 are affected. The vulnerability applies to any deployment that uses the public.users table and the SSO provisioning endpoint. No specific host or environment is required beyond the use of Capgo’s default authentication and SSO features.

Risk and Exploitability

The CVSS score is 8.7, indicating a high severity. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires only an authenticated session and access to the API that updates public.users.email; no elevated privileges or network access beyond the CAPGO service are necessary. Attackers can pre‑position a poisoned email address and then invoke the SSO provisioning flow, which the system trusts without additional validation. The potential for data compromise and breach of corporate SSO identities makes this a serious risk for affected organizations.

Generated by OpenCVE AI on June 20, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Capgo to 12.128.12 or later to remove the vulnerable logic that allows public.users.email to be used as an account‑merge key.
  • Configure the SSO provisioning endpoint to reject or ignore email addresses that are not pre‑validated, ensuring that only system‑approved identities can initiate merges.
  • Audit and monitor account‑merge events for anomalous activity, and consider disabling automated merges for accounts that already exist in the corporate SSO domain until a permanent fix is deployed.

Generated by OpenCVE AI on June 20, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses, which the SSO provisioning endpoint trusts as an account-merge key. Attackers can pre-position their account with a victim's corporate SSO email, causing the provision-user endpoint to merge the victim's SSO identity into the attacker-controlled account.
Title Capgo - Account Merge via Poisoned public.users.email in SSO Provisioning
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T00:14:38.298Z

Reserved: 2026-06-19T21:43:24.737Z

Link: CVE-2026-56215

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T01:30:05Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key