PT-2026-51045 · Cap Go · Cap-Go
Judel777
·
Published
2026-06-20
·
Updated
2026-06-20
·
CVE-2026-56215
CVSS v3.1
8.3
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
Capgo versions prior to 12.128.12
Description
Authenticated users can modify the mutable
public.users.email variable to arbitrary addresses. The SSO provisioning endpoint trusts this value as an account-merge key. This allows an attacker to pre-position an account with a victim's corporate SSO email, leading the 'provision-user' endpoint to merge the victim's SSO identity into the account controlled by the attacker.Recommendations
Update to version 12.128.12 or later.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cap-Go