Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoint, low-privilege attacker account required (PR:L), victim's first SSO login is the user interaction (UI:R), scope changes to the federated IdP-bound identity (S:C), high C/I on hijacked tenant.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses, which the SSO provisioning endpoint trusts as an account-merge key. Attackers can pre-position their account with a victim's corporate SSO email, causing the provision-user endpoint to merge the victim's SSO identity into the attacker-controlled account.
AnalysisAI
Account takeover in Capgo before 12.128.12 allows authenticated low-privileged users to hijack other users' SSO identities by abusing the SSO provisioning endpoint's reliance on a user-mutable email field as an account-merge key. By updating their own public.users.email to a target's corporate SSO address before the victim's first SSO login, an attacker causes the provision-user flow to merge the victim's federated identity into the attacker-controlled account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) an authenticated low-privilege Capgo account on the target instance (PR:L), (2) the target instance to use corporate SSO with the provision-user endpoint enabled and configured to treat the email claim as an account-merge key, and (3) the victim SSO user to have not yet completed a first SSO login on Capgo (otherwise the canonical SSO identity is already bound). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L) and 8.7 base score are well-aligned with the described threat: network-reachable provisioning endpoint, low attacker privileges (any registered Capgo account), no user interaction, and high confidentiality and integrity impact on the hijacked tenant. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers an ordinary Capgo account, then updates their public.users.email to the corporate SSO address of a targeted executive (e.g., cfo@victimcorp.com). When the executive later signs in via their corporate IdP for the first time, the provision-user endpoint locates the attacker's account by email and merges the SSO identity into it, granting the attacker authenticated access to the victim's workspace, app credentials, and update channels. … |
| Remediation | Upgrade to Capgo 12.128.12 or later, which is the vendor-released patch referenced in GHSA-wqc6-fhwf-qpww. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Verify if Capgo is deployed and confirm SSO provisioning is enabled; if critical to operations, disable the SSO provisioning endpoint or require administrative approval for SSO account linking. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tamperin
Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a mal
Account pre-registration hijack in Capgo before 12.128.2 lets a remote unauthenticated attacker claim an account under a
Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering
Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpo
Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing
Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a pat
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_se
Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (
Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindin
Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38101
GHSA-c8g9-cm5m-77px