Executive Summary

CVE-2026-56215 is a vulnerability in Capgo versions before 12.128.12 that allows authenticated users to modify their public.users.email field to any arbitrary email address.

The SSO provisioning endpoint trusts this mutable email field as an account-merge key. An attacker can exploit this by pre-registering an account with a victim's corporate SSO email.

When the real victim later signs in via SSO, the system merges the victim's SSO identity into the attacker-controlled account instead of the victim's legitimate account, due to a trust boundary mismatch.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access and account takeover scenarios.

• Attackers can gain unauthorized membership in the victim's SSO organization.
• The victim's SSO identity can be transferred to the attacker-controlled account.
• Attackers may obtain durable access to the victim's tenant or corporate resources.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if any authenticated user has modified their public.users.email field to an arbitrary email address that does not match their trusted auth.users.email.

Since the vulnerability exploits the SSO provisioning endpoint trusting the mutable public.users.email field, monitoring logs for account merges where the public.users.email differs from the auth.users.email can help detect exploitation.

Commands to detect this might include querying the user database for discrepancies between public.users.email and auth.users.email fields, for example:

• SQL query: SELECT user_id, public.users.email, auth.users.email FROM users WHERE public.users.email != auth.users.email;
• Review SSO provisioning logs for merges triggered by public.users.email values that do not match the authenticated user's email.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include preventing users from changing their public.users.email to any value different from their trusted auth.users.email.

Additionally, ensure that the SSO provisioning flow resolves existing accounts using the auth.users.email field rather than the mutable public.users.email field.

It is also recommended to verify that the target account's auth.users.email matches the SSO email claim before merging identities.

Applying the patch or upgrading to Capgo version 12.128.12 or later, where this vulnerability is fixed, is the definitive solution.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to merge a victim's SSO identity into an attacker-controlled account, resulting in unauthorized access to the victim's SSO organization and potentially durable access to the victim's tenant.

Such unauthorized access and identity compromise could lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls over user identity, access, and data confidentiality.

By enabling attackers to impersonate legitimate users and access sensitive organizational resources, the vulnerability undermines compliance with standards that mandate secure authentication and identity management.

Useful 0 Not Useful 0