Skip to main content

Capgo CVE-2026-56256

| EUVDEUVD-2026-38743 HIGH
Client-Side Enforcement of Server-Side Security (CWE-602)
2026-06-24 VulnCheck
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Network API reachable (AV:N), simple replay (AC:L), requires authenticated admin role so PR:L not PR:N, no UI, integrity high via org changes, confidentiality low, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 24, 2026 - 13:01 EUVD
Analysis Generated
Jun 24, 2026 - 12:20 vuln.today

DescriptionCVE.org

Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organization (ORG) management API endpoints (e.g., editing organization details, inviting users) do not validate 2FA completion on the backend. An authenticated Admin user who has not enabled 2FA can replay or modify a previously captured ORG API request to perform privileged organization actions, bypassing the globally enforced 2FA requirement.

AnalysisAI

Two-factor authentication bypass in Capgo before 12.128.2 allows an authenticated admin who has not completed 2FA enrollment to perform privileged organization management actions by replaying or modifying captured API requests. The flaw stems from 2FA being enforced exclusively in the frontend UI while the backend ORG management endpoints accept requests without verifying 2FA completion. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Capgo admin credentials
Delivery
Capture legitimate ORG API request
Exploit
Replay or modify request bypassing UI 2FA gate
Execution
Backend accepts call without 2FA check
Persist
Edit organization or invite attacker-controlled user
Impact
Escalate access within tenant

Vulnerability AssessmentAI

Exploitation The attacker must already hold valid credentials for a Capgo Admin account whose user has not enabled two-factor authentication, and must be able to send authenticated HTTP requests to the organization management API endpoints (such as the organization-edit and user-invite routes) on a Capgo instance running a version before 12.128.2. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) and score of 7.1 align with the description: network-reachable API, low complexity, requires existing low-privileged (admin-role) authentication, no user interaction, primary integrity impact on organization state with limited confidentiality exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who phishes or otherwise obtains the credentials of a Capgo admin that never enrolled in 2FA logs in and observes - or captures from a prior session - a legitimate organization-management API call such as PATCH /org or POST /org/invite. Replaying that request (or crafting a modified copy with a new invitee email or altered organization settings) succeeds because the backend does not verify 2FA completion, letting the attacker add themselves to the organization or change its configuration without ever passing the second factor.
Remediation Upgrade to Capgo 12.128.2 or later, which is the vendor-released patch that enforces 2FA validation server-side on organization management endpoints, per the GitHub advisory at https://github.com/Cap-go/capgo/security/advisories/GHSA-cww4-5xfp-jw98. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all Capgo installations to identify version, enumerate administrative accounts, and verify 2FA enrollment status for each admin. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Capgo

View all
CVE-2026-56237 CRITICAL
9.3 Jun 24

Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tamperin

CVE-2026-56223 CRITICAL
9.3 Jun 24

Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a mal

CVE-2026-56081 CRITICAL
9.3 Jun 19

Account pre-registration hijack in Capgo before 12.128.2 lets a remote unauthenticated attacker claim an account under a

CVE-2026-56073 CRITICAL
9.3 Jun 19

Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering

CVE-2026-56324 HIGH
8.8 Jun 22

Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpo

CVE-2026-56245 HIGH
8.8 Jun 24

Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing

CVE-2026-56233 HIGH
8.7 Jun 30

Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a pat

CVE-2026-56323 HIGH
8.7 Jun 22

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_se

CVE-2026-56305 HIGH
8.7 Jul 10

Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (

CVE-2026-56300 HIGH
8.7 Jun 30

Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse

CVE-2026-56219 HIGH
8.7 Jun 30

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindin

CVE-2026-56230 HIGH
8.7 Jun 30

Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited

Share

CVE-2026-56256 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy