CVE-2026-56336
Received Received - Intake

Information Disclosure in Capgo via Unauthenticated SSO Check

Vulnerability report for CVE-2026-56336, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /private/sso/check-domain endpoint that returns internal org_id and provider_id values. Attackers can enumerate email domains to build mappings of domains to organization UUIDs and SSO provider identifiers, enabling reconnaissance against Capgo tenants.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The immediate mitigation step is to remove the unused provider_id and org_id fields from the client-facing response of the /private/sso/check-domain endpoint.

Additionally, implementing authentication middleware on this endpoint to prevent unauthenticated access and applying proper rate limiting to prevent bulk enumeration are recommended.

Updating Capgo to version 12.128.2 or later, where this vulnerability is fixed, is the best long-term solution.

Compliance Impact

The vulnerability exposes internal organization identifiers and SSO provider IDs through an unauthenticated endpoint, which constitutes an information disclosure issue. This exposure violates the principle of minimal disclosure and could aid attackers in reconnaissance activities against tenants.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the unauthorized disclosure of internal identifiers could potentially impact compliance by exposing sensitive organizational information that should be protected under data privacy and security regulations.

Therefore, organizations using affected versions of Capgo might face increased risk of non-compliance with regulations that mandate strict control over sensitive information disclosure, especially if such information can be linked to individuals or organizational data.

Impact Analysis

This vulnerability allows attackers to gather sensitive internal information about organizations using Capgo by enumerating email domains and retrieving associated internal org_id and provider_id values.

Such reconnaissance can facilitate targeted attacks against Capgo tenants, as attackers gain insight into the internal structure and identifiers of organizations.

Although no direct privilege escalation or immediate compromise is possible from this vulnerability alone, the exposure of sensitive information increases the risk surface and can aid attackers in planning more effective attacks.

Detection Guidance

This vulnerability can be detected by sending unauthenticated HTTP requests to the /private/sso/check-domain endpoint of the Capgo application and inspecting the JSON response for the presence of internal org_id and provider_id fields.

A simple command to test this could be using curl to query the endpoint with a domain parameter and checking the response for sensitive information exposure.

  • curl -X GET "https://<capgo-instance>/private/sso/check-domain?domain=example.com" -v
  • Look for JSON fields such as "org_id" and "provider_id" in the response which indicate the vulnerability.
Executive Summary

CVE-2026-56336 is an information disclosure vulnerability in Capgo versions before 12.128.2. It exists in an unauthenticated endpoint, /private/sso/check-domain, which returns internal organization identifiers (org_id) and SSO provider identifiers (provider_id) in its response. These fields are not used by any frontend client code but are exposed nonetheless.

Because the endpoint lacks authentication and has a trivial rate limit that can be bypassed, attackers can enumerate email domains to map them to internal organization UUIDs and SSO provider IDs. This enables attackers to perform reconnaissance against Capgo tenants, gathering sensitive internal mappings that could be used in further targeted attacks.

While the vulnerability does not allow direct privilege escalation, it violates the principle of minimal disclosure by exposing sensitive internal information unnecessarily.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56336. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart