Severity by source
CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Physical vector and high complexity required (Frida hooking on rooted device); no prior app privileges needed; no availability impact; integrity impact limited to auth state bypass.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic instrumentation to bypass biometric authentication without valid credentials.
AnalysisAI
Authentication bypass in cap-go/capacitor-native-biometric allows an attacker with physical device access to circumvent biometric authentication by hooking the onAuthenticationSucceeded() callback via dynamic instrumentation. The root cause is that AuthActivity.java's implementation of BiometricPrompt.AuthenticationCallback never retrieves or validates the CryptoObject from the AuthenticationResult, making the entire cryptographic binding between biometric gesture and protected key material moot. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Physical access to the target Android device is required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 4.3 (AV:P/AC:H) correctly reflects that exploitation is constrained to physical device access and requires deploying a dynamic instrumentation toolchain (high attack complexity). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains physical access to a target Android device running a Capacitor application that uses capacitor-native-biometric for authentication. Using a rooted device and a dynamic instrumentation framework such as Frida, the attacker injects a script that hooks the onAuthenticationSucceeded() method in AuthActivity and invokes it programmatically without presenting a valid biometric. … |
| Remediation | Update @capgo/capacitor-native-biometric to the patched version via npm: run 'npm install @capgo/capacitor-native-biometric@latest' and verify the installed version is at or above 8.3.6 (per npm evidence) or 12.128.2 (per EUVD/CVE description). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38121
GHSA-58pv-hg46-37r9