CVE Catalog

CVE-2026-56215

HighCVSS 8.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

13th percentile — higher than 13% of all known CVEs

Summary

Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses. The SSO provisioning endpoint trusts this address as an account-merge key.

Risk Assessment

Attackers can pre-position their account with a victim's corporate SSO email, leading to the merging of the victim's SSO identity into the attacker-controlled account. This poses a significant risk to user data security.

Recommendation

It is recommended to upgrade to Capgo version 12.128.12 or later to prevent users from modifying email addresses. Additionally, implementing further identity verification mechanisms during account merging is advisable.

Original NVD description (English source)

Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses, which the SSO provisioning endpoint trusts as an account-merge key. Attackers can pre-position their account with a victim's corporate SSO email, causing the provision-user endpoint to merge the victim's SSO identity into the attacker-controlled account.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS