Capgo - Account Merge via Poisoned public.users.email in SSO Provisioning
Description
Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses, which the SSO provisioning endpoint trusts as an account-merge key. Attackers can pre-position their account with a victim's corporate SSO email, causing the provision-user endpoint to merge the victim's SSO identity into the attacker-controlled account.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"The SSO provisioning endpoint trusts the attacker-controlled public.users.email as a pre-merge identity key instead of using the immutable auth.users.email."
Attack vector
An authenticated attacker updates their own `public.users.email` to the victim's corporate email address . When the real victim later authenticates via SSO, the `/private/sso/provision-user` endpoint receives the victim's trusted SSO email claim and first searches `public.users` by that email — the attacker's poisoned row is returned . The service-role merge flow then provisions the attacker-controlled user ID into the victim's SSO organization, transfers the victim's SSO identity to the attacker's account, and deletes the duplicate legitimate SSO user . The attacker needs only a normal authenticated Capgo account and knowledge of a victim email address that belongs to an active SSO provider tenant .
Affected code
The trust boundary mismatch occurs between **auth.users.email** (trusted identity email) and **public.users.email** (mutable profile column, defined without a unique or FK constraint back to auth.email) . The SSO provisioning endpoint at `supabase/functions/_backend/private/sso/provision-user.ts:333` queries the attacker-controlled `public.users` table by email before falling back to the safe `auth.users.email` lookup . The RLS policy `Allow owner to update own users` (prod.sql:16707) only checks row ownership but does **not** validate that the new `public.users.email` belongs to the authenticated user's auth identity .
What the fix does
The root advisory recommends that the SSO merge flow resolve existing accounts from `auth.users.email` instead of `public.users.email`, and that it only proceed with a merge when the target account's `auth.users.email` matches the SSO email claim . Additionally, an RLS `WITH CHECK` or database trigger should prevent users from changing `public.users.email` to a value that differs from their trusted `auth.users.email`; making the profile email read-only and syncing it only from trusted auth metadata would also close the attack surface . The patch (not provided in the bundle) would need to remove the attacker-controllable `public.users.email` lookup as an identity-merge key and enforce that profile email changes are constrained to the user's own verified auth email .
Preconditions
- authAttacker must have a normal authenticated Capgo account.
- inputAttacker must know a victim email address that belongs to an organization with an active SSO provider configured in Capgo.
- networkThe victim must later authenticate via that SSO provider.
- configThe vulnerable SSO provisioning code path must be reachable (no config-level protection blocking the mutable-public.email lookup).
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/Cap-go/capgo/security/advisories/GHSA-wqc6-fhwf-qpwwmitrevendor-advisory
- www.vulncheck.com/advisories/capgo-account-merge-via-poisoned-public-users-email-in-sso-provisioningmitrethird-party-advisory
News mentions
0No linked articles in our index yet.