HIGHCVE-2026-56256Published 2026-06-24Modified 2026-06-24CNA VulnCheck

CVE-2026-56256: Capgo - Two-Factor Authentication Bypass via Organization Management API

Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organization (ORG) management API endpoints (e.g., editing organization details, inviting users) do not validate 2FA completion on the backend. An authenticated Admin user who has not enabled 2FA can replay or modify a previously captured ORG API request to perform privileged organization actions, bypassing the globally enforced 2FA requirement.

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: 12.128.2
Affected Products: 1

Fix available

12.128.2

Affected packages

Capgo / Capgo
< 12.128.2 (from 0)
Fixed in 12.128.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-cww4-5xfp-jw98)
VulnCheck Advisory: Capgo - Two-Factor Authentication Bypass via Organization Management API

Metrics

Get notified

Fix available