CVE-2026-56256

Capgo - Two-Factor Authentication Bypass via Organization Management API

CVSS 7.1 HIGHEPSS 0.2%CWE-602

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.1EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

24 Jun 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organization (ORG) management API endpoints (e.g., editing organization details, inviting users) do not validate 2FA completion on the backend. An authenticated Admin user who has not enabled 2FA can replay or modify a previously captured ORG API request to perform privileged organization actions, bypassing the globally enforced 2FA requirement.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products

Capgo · Capgo

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/Cap-go/capgo/security/advisories/GHSA-cww4-5xfp-jw98 https://www.vulncheck.com/advisories/capgo-two-factor-authentication-bypass-via-organization-management-api