CVE-2026-56215 Capgo CVE debrief

Who should care

Administrators and users of Capgo, especially those using SSO (Single Sign-On) for authentication, should be aware of this vulnerability. This issue could allow attackers to gain unauthorized access to victim accounts by exploiting the trust in the SSO provisioning endpoint.

Technical summary

The vulnerability exists in Capgo versions before 12.128.12. Authenticated users can change their public.users.email to any address. Attackers can exploit this by setting their account to a victim's corporate SSO email address. When the victim's SSO identity is provisioned, it merges into the attacker-controlled account, effectively allowing the attacker to hijack the victim's account through SSO identity merging.

Defensive priority

High priority for Capgo administrators and users, especially those relying on SSO for authentication, to update to version 12.128.12 or later to prevent potential account takeovers.

Recommended defensive actions

• Update Capgo to version 12.128.12 or later to fix the vulnerability.
• Review and monitor user accounts for any suspicious activity, especially those related to SSO authentication.
• Implement additional security measures for SSO authentication to reduce the risk of account takeovers.
• Educate users about the risks of phishing and social engineering attacks that could lead to account compromise.
• Regularly review and update security configurations and software versions to protect against known vulnerabilities.

Evidence notes

The vulnerability is confirmed in Capgo versions before 12.128.12. The issue allows for account merging via poisoned public users' email in SSO provisioning, enabling potential attackers to hijack accounts.

Official resources