Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-exploitable OAuth 2FA bypass requires high-complexity callback manipulation; no prior auth needed, but impact is limited to per-account confidentiality and integrity with no availability consequence.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was detected in Documenso up to 2.11.0. Affected by this vulnerability is an unknown functionality of the file packages/auth/server/lib/utils/handle-oauth-callback-url.ts of the component Google OAuth Login. The manipulation results in improper authentication. It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance.
AnalysisAI
Google OAuth login in Documenso through version 2.11.0 fails to enforce two-factor authentication during the OAuth callback flow, allowing a remote attacker to authenticate as any Google-linked user without completing MFA verification. The flaw resides in handle-oauth-callback-url.ts, where the oauth2fa state is not properly routed through the dedicated OAuth 2FA verification path - as confirmed by the PR diff showing the signin form was not checking the oauth2fa=true callback parameter. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that Google OAuth login is enabled on the target Documenso instance - this is not enabled by default in self-hosted deployments and requires explicit OAuth client configuration with Google credentials. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.3 with AV:N/AC:H accurately reflects a meaningful but operationally constrained risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who knows a target user's Google account email initiates the Google OAuth login flow against a Documenso instance, then manipulates the OAuth callback URL parameters to omit or subvert the oauth2fa=true signal, causing the application to skip the verify2fa() call and complete authentication without prompting for a TOTP code. A publicly available exploit demonstrating this technique exists at https://github.com/documenso/documenso/issues/2758. … |
| Remediation | Apply the upstream fix from GitHub PR #2837 (https://github.com/documenso/documenso/pull/2837), which adds useSearchParams detection for the oauth2fa=true callback parameter and routes OAuth users through authClient.oauth.verify2fa() for proper 2FA enforcement. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40043
GHSA-3hjr-gmh6-w2qr