Skip to main content

Capgo CVE-2026-56215

| EUVDEUVD-2026-38101 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-20 VulnCheck GHSA-c8g9-cm5m-77px
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.9 HIGH

Network-reachable endpoint, low-privilege attacker account required (PR:L), victim's first SSO login is the user interaction (UI:R), scope changes to the federated IdP-bound identity (S:C), high C/I on hijacked tenant.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 20, 2026 - 02:01 EUVD
Analysis Generated
Jun 20, 2026 - 00:46 vuln.today

DescriptionCVE.org

Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses, which the SSO provisioning endpoint trusts as an account-merge key. Attackers can pre-position their account with a victim's corporate SSO email, causing the provision-user endpoint to merge the victim's SSO identity into the attacker-controlled account.

AnalysisAI

Account takeover in Capgo before 12.128.12 allows authenticated low-privileged users to hijack other users' SSO identities by abusing the SSO provisioning endpoint's reliance on a user-mutable email field as an account-merge key. By updating their own public.users.email to a target's corporate SSO address before the victim's first SSO login, an attacker causes the provision-user flow to merge the victim's federated identity into the attacker-controlled account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register low-privilege Capgo account
Delivery
Identify victim corporate SSO email
Exploit
Update public.users.email to victim address
Execution
Wait for victim first SSO login
Persist
Provision-user merges SSO identity into attacker account
Impact
Access victim workspace and apps

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) an authenticated low-privilege Capgo account on the target instance (PR:L), (2) the target instance to use corporate SSO with the provision-user endpoint enabled and configured to treat the email claim as an account-merge key, and (3) the victim SSO user to have not yet completed a first SSO login on Capgo (otherwise the canonical SSO identity is already bound). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L) and 8.7 base score are well-aligned with the described threat: network-reachable provisioning endpoint, low attacker privileges (any registered Capgo account), no user interaction, and high confidentiality and integrity impact on the hijacked tenant. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers an ordinary Capgo account, then updates their public.users.email to the corporate SSO address of a targeted executive (e.g., cfo@victimcorp.com). When the executive later signs in via their corporate IdP for the first time, the provision-user endpoint locates the attacker's account by email and merges the SSO identity into it, granting the attacker authenticated access to the victim's workspace, app credentials, and update channels. …
Remediation Upgrade to Capgo 12.128.12 or later, which is the vendor-released patch referenced in GHSA-wqc6-fhwf-qpww. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Verify if Capgo is deployed and confirm SSO provisioning is enabled; if critical to operations, disable the SSO provisioning endpoint or require administrative approval for SSO account linking. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Capgo

View all
CVE-2026-56237 CRITICAL
9.3 Jun 24

Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tamperin

CVE-2026-56223 CRITICAL
9.3 Jun 24

Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a mal

CVE-2026-56081 CRITICAL
9.3 Jun 19

Account pre-registration hijack in Capgo before 12.128.2 lets a remote unauthenticated attacker claim an account under a

CVE-2026-56073 CRITICAL
9.3 Jun 19

Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering

CVE-2026-56324 HIGH
8.8 Jun 22

Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpo

CVE-2026-56245 HIGH
8.8 Jun 24

Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing

CVE-2026-56233 HIGH
8.7 Jun 30

Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a pat

CVE-2026-56323 HIGH
8.7 Jun 22

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_se

CVE-2026-56305 HIGH
8.7 Jul 10

Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (

CVE-2026-56300 HIGH
8.7 Jun 30

Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse

CVE-2026-56219 HIGH
8.7 Jun 30

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindin

CVE-2026-56230 HIGH
8.7 Jun 30

Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited

Share

CVE-2026-56215 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy