HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-56223Published Modified CNA VulnCheck

CVE-2026-56223: Capgo - Account Takeover via Cross-Domain SSO Email Assertion in provision-user

Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization. An attacker with enterprise org admin access and a malicious IdP can forge SAML assertions containing victim email addresses to trigger account merge and gain full access to victim accounts, organizations, and data.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
12.128.2
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authentication-bypass and account-takeover vulnerability in Capgo, affecting the provision-user endpoint used during enterprise single sign-on (SSO) flows. An attacker who controls an enterprise org admin account and a malicious identity provider (IdP) can craft SAML assertions (the XML tokens an IdP sends to assert a user's identity) containing a victim's email address; because the provision-user endpoint matches accounts by email without verifying that the SSO provider is authorized for that email domain, the merge succeeds and the attacker gains full access to the victim account, its organizations, and its data. Exploitation requires network access and an existing high-privilege (org admin) account but no victim interaction. A patched-image rebuild at version 12.128.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-56223 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Capgo images, in both registry scans and CI/CD pipeline checks. Any image carrying a Capgo version below 12.128.2 will surface a finding flagged at CRITICAL severity.

Available
Triage

HarborGuard scores this finding at CVSS v4.0 9.3 (CRITICAL) and applies each customer organization's compliance policy weighting before routing the alert. Findings are directed to the appropriate team inbox inside each customer org based on configured ownership rules, ensuring the right engineers see the alert without manual triage steps.

Available
Patch

A patched-image rebuild at Capgo 12.128.2 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard will trigger a rebuild, run regression tests against the new image, and open a pull request against affected workloads; for CRITICAL-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Capgo provision-user endpoint over the network; the CVSS vector records AV:N, meaning the vulnerable surface is exposed to network-accessible requests.

  • AuthenticationRequired

    The attacker must hold an enterprise org admin account (CVSS PR:H); any lower-privilege account is not sufficient to trigger the vulnerable SSO provisioning flow.

  • Victim interactionNot required

    No action by the victim is needed; the account merge is triggered entirely server-side when the attacker submits the forged SAML assertion (CVSS UI:N).

  • Attack complexityDetail

    Attack complexity is low (CVSS AC:L); the exploit is reliable and does not depend on race conditions, memory layout, or other environmental factors beyond holding org admin credentials and controlling a malicious IdP.

Blast Radius

  • Reads all data stored in the victim account, including application configurations, API keys, and any secrets stored within associated Capgo organizations.
  • Gains write access to victim-owned organizations and their settings, allowing modification or deletion of deployments, channels, and access controls.
  • Takes over organizational memberships and can invite or remove members, effectively locking the legitimate owner out of their organization.
  • Propagates access to any downstream systems or integrations that trust Capgo organization membership or API credentials.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-56223 activates automatically as images are scanned against the advisory feed, flagging any Capgo image below 12.128.2 at CRITICAL severity with no additional configuration required. Where compliance policy permits, a patched-image rebuild at 12.128.2 becomes available immediately upon detection; for customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads. For environments with auto-remediation enabled, the median time from CVE publication to a merged patch PR for CRITICAL-severity issues is around 90 minutes. Customers who cannot immediately upgrade should consider applying network policy controls to restrict access to the provision-user endpoint to known, authorized IdP IP ranges, and should audit enterprise org admin account assignments to limit the pool of accounts that can initiate SSO provisioning flows. HarborGuard will continue re-checking the advisory on each ingest cycle and will surface any upstream guidance changes as they are published.

See how HarborGuard automates this

Fix available

12.128.2
Affected packages
  • Capgo / Capgo
    < 12.128.2 (from 0)
    Fixed in 12.128.2
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
References