CVE-2026-56223
HighCVSS 8.7Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
Capgo before version 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization.
Risk Assessment
An attacker with enterprise org admin access can exploit this vulnerability to gain full access to victim accounts, organizations, and data, posing a serious threat to data security.
Recommendation
It is recommended to upgrade to Capgo version 12.128.2 or later and implement additional domain authorization validation mechanisms for the SSO provider.
Original NVD description (English source)
Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization. An attacker with enterprise org admin access and a malicious IdP can forge SAML assertions containing victim email addresses to trigger account merge and gain full access to victim accounts, organizations, and data.

