CVE-2026-56212
LOWCapgo - Improper 2FA Enforcement Logic via Team Security Settings
Title source: cnaDescription
Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organization security settings can enable mandatory two-factor authentication for all team members without first enabling 2FA on their own account. The application fails to verify the initiator's 2FA status before allowing the policy change, resulting in inconsistent security enforcement, potential administrative misuse, and lockout risk for team members.
References (2)
Core 2
Core References
Third Party Advisory third-party-advisory
VulnCheck Advisory: Capgo - Improper 2FA Enforcement Logic via Team Security Settings
https://www.vulncheck.com/advisories/capgo-improper-2fa-enforcement-logic-via-team-security-settings
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-w2cr-vcwj-69x2
https://github.com/Cap-go/capgo/security/advisories/GHSA-w2cr-vcwj-69x2
Scores
CVSS v3
3.8
EPSS
0.0021
EPSS Percentile
10.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-269
Status
published
Products (2)
Capgo/Capgo
< 12.128.2
Capgo/Capgo
12.128.2
Published
Jun 20, 2026
Tracked Since
Jun 20, 2026