PT-2026-51765 · Cap Go · Cap-Go
Offset
·
Publicado
2026-06-24
·
Atualizado
2026-06-24
·
CVE-2026-56223
CVSS v3.1
8.7
Alta
| Vetor | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N |
Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization. An attacker with enterprise org admin access and a malicious IdP can forge SAML assertions containing victim email addresses to trigger account merge and gain full access to victim accounts, organizations, and data.
Correção
Improper Authentication
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Cap-Go