CVE-2026-56223
Received Received - Intake
Cross-Domain SSO Account Takeover in Capgo

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: VulnCheck

Description
Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization. An attacker with enterprise org admin access and a malicious IdP can forge SAML assertions containing victim email addresses to trigger account merge and gain full access to victim accounts, organizations, and data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-56223
EUVD
EUVD-2026-38737
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56223 is a critical vulnerability in the Capgo Single Sign-On (SSO) system affecting versions before 12.128.2. It occurs in the provision-user endpoint where the system merges user accounts based solely on matching email addresses without verifying if the authenticating SSO provider is authorized for the victim's email domain.

An attacker who has enterprise organization admin access and controls a malicious Identity Provider (IdP) can forge SAML assertions containing victim email addresses. This triggers the account merge process, allowing the attacker to gain full access to the victim's accounts, organizations, and data.

The root cause is a failure to enforce strict domain-authorization validation during the merge process, which bypasses domain isolation and enables cross-organization access.

Impact Analysis

This vulnerability can lead to a full account takeover by an attacker who can merge arbitrary victim accounts based on email matches without proper domain authorization.

  • Attackers can gain unauthorized access to victim accounts, organizations, and sensitive data.
  • If the victim is an admin, the attacker can escalate privileges and control entire organizations.
  • The flaw compromises confidentiality and integrity of user and organizational data.
Mitigation Strategies

To mitigate the vulnerability CVE-2026-56223 in Capgo versions before 12.128.2, the recommended immediate step is to upgrade Capgo to version 12.128.2 or later where the issue is fixed.

The fix involves adding strict domain-authorization validation in the account merge path to ensure that the authenticating SSO provider matches the victim's email domain, preventing unauthorized cross-domain account merges.

Compliance Impact

This vulnerability allows attackers to gain unauthorized full access to victim accounts, organizations, and data by exploiting a flaw in the SSO account merge process. Such unauthorized access to sensitive personal and organizational data can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over access to personal and health information.

By enabling cross-domain account takeover without proper domain authorization validation, the vulnerability undermines confidentiality and integrity of data, increasing the risk of data breaches and non-compliance with standards requiring secure authentication and access controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56223. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart