CVE-2026-56313
Received Received - Intake

Cross-Organization Account Disruption in Capgo via SSO

Vulnerability report for CVE-2026-56313, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains a cross-organization account disruption vulnerability in the SSO prelink endpoint that allows enterprise administrators to delete password identities of users in foreign organizations. Attackers with org.update_settings permission and an active SSO provider can call the prelink-users endpoint to permanently remove email-based authentication for any user matching the provider's email domain, forcing victims to use the attacker's SSO provider or complete password reset recovery.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows enterprise administrators to delete password identities of users in foreign organizations without proper authorization, which can lead to unauthorized access disruptions and potential data access issues.

Such unauthorized account disruptions and forced use of an attacker's SSO provider or password reset recovery could impact compliance with standards like GDPR and HIPAA, which require strict controls on user data access, identity management, and protection against unauthorized actions.

Specifically, improper authorization and cross-organization account disruptions may violate principles of data minimization, user consent, and security controls mandated by these regulations.

Executive Summary

CVE-2026-56313 is a vulnerability in Capgo versions before 12.128.2 that affects the Single Sign-On (SSO) prelink endpoint. It allows enterprise administrators who have the org.update_settings permission and an active SSO provider to delete password identities of users belonging to other organizations.

The flaw occurs because the system does not properly check if users belong to the administrator's organization before deleting their email-based authentication identities. Instead, it deletes identities for all users matching the SSO provider's email domain, regardless of organization membership.

As a result, attackers can permanently remove email/password authentication for users in foreign organizations, forcing those users to either use the attacker's SSO provider or go through a password reset recovery process.

Impact Analysis

This vulnerability can disrupt user access across organizations by allowing an attacker with certain administrative permissions to delete email-based authentication identities of users outside their own organization.

Affected users will be forced to either authenticate using the attacker's SSO provider, which they may not have access to, or complete a password reset recovery process to regain access to their accounts.

This can lead to significant account disruption, potential denial of service for legitimate users, and increased administrative overhead to recover affected accounts.

Detection Guidance

This vulnerability involves misuse of the SSO prelink endpoint by enterprise administrators with org.update_settings permission and an active SSO provider. Detection would involve monitoring calls to the /sso/prelink-users endpoint, especially those that trigger deletion of email-based authentication identities for users outside the administrator's organization.

Commands or monitoring steps could include inspecting logs for unusual API calls to /sso/prelink-users, particularly those initiated by admins with org.update_settings permission. Additionally, reviewing audit logs for deletion of password identities for users from foreign organizations could help detect exploitation attempts.

Specific commands are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade Capgo to version 12.128.2 or later, where the vulnerability has been patched.

Until the patch is applied, restrict or monitor the use of the SSO prelink endpoint, especially limiting org.update_settings permissions to trusted administrators only.

Review and audit active SSO providers and their configurations to ensure no unauthorized domains are linked.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56313. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart