← All CVEs

CVE-2026-56223

CRITICAL 9.3

Published 2026-06-24 · Last modified 2026-06-24

Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization. An attacker with enterprise org admin access and a malicious IdP can forge SAML assertions containing victim email addresses to trigger account merge and gain full access to victim accounts, organizations, and data.

ELEVATED IMPACT

Severe if exploited (CVSS 9.3), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

0.2%chance of exploitation in 30 days · 16th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

9.3CVSS 4.0 · CRITICAL

  • ConfidentialityHigh
  • IntegrityHigh
  • AvailabilityNone

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: Requires an admin / high-privilege account
  • User interaction: No user interaction needed
  • Complexity: No special conditions — reliably repeatable
  • Requirements: No special attack requirements

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Capgo

Products Capgo

Weakness (CWE)

  • CWE-287: Improper authentication

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Sources: NVD · CVE.org · EPSS