CVE-2026-56223

EUVD-2026-38737

24.06.2026, 13:16

Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization. An attacker with enterprise org admin access and a malicious IdP can forge SAML assertions containing victim email addresses to trigger account merge and gain full access to victim accounts, organizations, and data.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.7 HIGH	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 15%

Common Weakness Enumeration

CWE-287 - Improper Authentication
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

References

https://github.com/Cap-go/capgo/security/advisories/GHSA-jhjh-vp9p-54fg

https://www.vulncheck.com/advisories/capgo-account-takeover-via-cross-domain-sso-email-assertion-in-provision-user

https://github.com/Cap-go/capgo/security/advisories/GHSA-jhjh-vp9p-54fg