Skip to main content

Documenso CVE-2026-13543

| EUVDEUVD-2026-40043 LOW
Improper Authentication (CWE-287)
2026-06-29 VulDB GHSA-3hjr-gmh6-w2qr
2.9
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.9 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.8 MEDIUM

Network-exploitable OAuth 2FA bypass requires high-complexity callback manipulation; no prior auth needed, but impact is limited to per-account confidentiality and integrity with no availability consequence.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
Jun 29, 2026 - 07:37 NVD
MEDIUM LOW
CVSS changed
Jun 29, 2026 - 07:37 NVD
6.3 (MEDIUM) 2.9 (LOW)
Source Code Evidence Fetched
Jun 29, 2026 - 07:18 vuln.today
Analysis Generated
Jun 29, 2026 - 07:18 vuln.today

DescriptionCVE.org

A vulnerability was detected in Documenso up to 2.11.0. Affected by this vulnerability is an unknown functionality of the file packages/auth/server/lib/utils/handle-oauth-callback-url.ts of the component Google OAuth Login. The manipulation results in improper authentication. It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance.

AnalysisAI

Google OAuth login in Documenso through version 2.11.0 fails to enforce two-factor authentication during the OAuth callback flow, allowing a remote attacker to authenticate as any Google-linked user without completing MFA verification. The flaw resides in handle-oauth-callback-url.ts, where the oauth2fa state is not properly routed through the dedicated OAuth 2FA verification path - as confirmed by the PR diff showing the signin form was not checking the oauth2fa=true callback parameter. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Documenso instance with Google OAuth enabled
Delivery
Know target user's linked Google account identity
Exploit
Initiate Google OAuth login flow for target account
Execution
Manipulate oauth2fa callback URL parameter to suppress 2FA prompt
Persist
Application routes through emailPassword path bypassing verify2fa()
Impact
Gain unauthorized access to victim account

Vulnerability AssessmentAI

Exploitation Exploitation requires that Google OAuth login is enabled on the target Documenso instance - this is not enabled by default in self-hosted deployments and requires explicit OAuth client configuration with Google credentials. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.3 with AV:N/AC:H accurately reflects a meaningful but operationally constrained risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who knows a target user's Google account email initiates the Google OAuth login flow against a Documenso instance, then manipulates the OAuth callback URL parameters to omit or subvert the oauth2fa=true signal, causing the application to skip the verify2fa() call and complete authentication without prompting for a TOTP code. A publicly available exploit demonstrating this technique exists at https://github.com/documenso/documenso/issues/2758. …
Remediation Apply the upstream fix from GitHub PR #2837 (https://github.com/documenso/documenso/pull/2837), which adds useSearchParams detection for the oauth2fa=true callback parameter and routes OAuth users through authClient.oauth.verify2fa() for proper 2FA enforcement. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13543 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy