CVE-2026-56212

LOW 3.8

Capgo - Improper 2FA Enforcement Logic via Team Security Settings

CVSS Score

3.8

EPSS Score

0.0%

EPSS Percentile

0th

Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organization security settings can enable mandatory two-factor authentication for all team members without first enabling 2FA on their own account. The application fails to verify the initiator's 2FA status before allowing the policy change, resulting in inconsistent security enforcement, potential administrative misuse, and lockout risk for team members.

CWE	CWE-269
Vendor	capgo
Product	capgo
Published	Jun 20, 2026

Stay Ahead of the Next One

Get instant alerts for capgo capgo

Be the first to know when new low vulnerabilities affecting capgo capgo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

Capgo / Capgo

0 < 12.128.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Cap-go/capgo/security/advisories/GHSA-w2cr-vcwj-69x2 vulncheck.com: https://www.vulncheck.com/advisories/capgo-improper-2fa-enforcement-logic-via-team-security-settings