CVE-2026-56215
HighCVSS 8.3Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses. The SSO provisioning endpoint trusts this address as an account-merge key.
Risk Assessment
Attackers can pre-position their account with a victim's corporate SSO email, leading to the merging of the victim's SSO identity into the attacker-controlled account. This poses a significant risk to user data security.
Recommendation
It is recommended to upgrade to Capgo version 12.128.12 or later to prevent users from modifying email addresses. Additionally, implementing further identity verification mechanisms during account merging is advisable.
Original NVD description (English source)
Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses, which the SSO provisioning endpoint trusts as an account-merge key. Attackers can pre-position their account with a victim's corporate SSO email, causing the provision-user endpoint to merge the victim's SSO identity into the attacker-controlled account.

