Description
Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization. An attacker with enterprise org admin access and a malicious IdP can forge SAML assertions containing victim email addresses to trigger account merge and gain full access to victim accounts, organizations, and data.
Published: 2026-06-24
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo prior to version 12.128.2 contains a cross‑domain single sign‑on flaw in the provision‑user endpoint that allows an attacker to merge arbitrary victim accounts based solely on email match, without validating that the SSO provider domain is authorized. An attacker who gains enterprise organization administrator rights and controls a malicious identity provider can forge SAML assertions that include victim email addresses, trigger the vulnerable merge operation, and thereby obtain full access to the victim’s account, organization, and data.

Affected Systems

Capgo, product Capgo, vulnerable for all releases prior to 12.128.2. Versions 12.128.2 and later are not affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating critical severity, and it is not currently listed in the CISA KEV catalog. The EPSS score is not available, implying that the exploitation probability is unknown but potentially high given the critical nature of account takeover. The likely attack vector involves an attacker with enterprise organization admin privileges who can issue forged SAML assertions from a malicious identity provider; this enables account merge and takeover without any additional user interaction.

Generated by OpenCVE AI on June 24, 2026 at 13:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later.
  • Configure the provision‑user endpoint to validate the SSO provider domain, allowing only approved identity providers to issue assertions for that endpoint.
  • Ensure all SAML assertions are properly signed and verified before processing.
  • Monitor authentication logs for abnormal account merge activity and review IdP configuration changes regularly.

Generated by OpenCVE AI on June 24, 2026 at 13:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Cap-go
Cap-go cap-go
Vendors & Products Cap-go
Cap-go cap-go

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization. An attacker with enterprise org admin access and a malicious IdP can forge SAML assertions containing victim email addresses to trigger account merge and gain full access to victim accounts, organizations, and data.
Title Capgo - Account Takeover via Cross-Domain SSO Email Assertion in provision-user
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Cap-go Cap-go
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T13:46:06.984Z

Reserved: 2026-06-19T21:46:58.630Z

Link: CVE-2026-56223

cve-icon Vulnrichment

Updated: 2026-06-24T13:45:27.999Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:45:06Z

Weaknesses