{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-56256: Capgo - Two-Factor Authentication Bypass via Organization Management API","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-56256","status":"final","version":"1","initial_release_date":"2026-06-24T11:53:12.194Z","current_release_date":"2026-06-24T13:49:39.681Z","revision_history":[{"date":"2026-06-24T11:53:12.194Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organization (ORG) management API endpoints (e.g., editing organization details, inviting users) do not validate 2FA completion on the backend. An authenticated Admin user who has not enabled 2FA can replay or modify a previously captured ORG API request to perform privileged organization actions, bypassing the globally enforced 2FA requirement.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-56256 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-56256"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-56256"},{"category":"external","summary":"GitHub Security Advisory (GHSA-cww4-5xfp-jw98)","url":"https://github.com/Cap-go/capgo/security/advisories/GHSA-cww4-5xfp-jw98"},{"category":"external","summary":"VulnCheck Advisory: Capgo - Two-Factor Authentication Bypass via Organization Management API","url":"https://www.vulncheck.com/advisories/capgo-two-factor-authentication-bypass-via-organization-management-api"}]},"product_tree":{"branches":[{"category":"vendor","name":"Capgo","branches":[{"category":"product_name","name":"Capgo","branches":[{"category":"product_version_range","name":"<12.128.2","product":{"name":"Capgo Capgo <12.128.2","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:capgo:capgo:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"12.128.2","product":{"name":"Capgo Capgo 12.128.2","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:capgo:capgo:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-56256","title":"Capgo - Two-Factor Authentication Bypass via Organization Management API","notes":[{"category":"description","text":"Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organization (ORG) management API endpoints (e.g., editing organization details, inviting users) do not validate 2FA completion on the backend. An authenticated Admin user who has not enabled 2FA can replay or modify a previously captured ORG API request to perform privileged organization actions, bypassing the globally enforced 2FA requirement.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"],"fixed":["CSAFPID-2"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N","baseScore":7.1,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 12.128.2.","product_ids":["CSAFPID-1"]}]}]}