CVE Catalog

CVE-2026-56212

LowCVSS 3.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

Capgo before version 12.128.2 contains an authentication logic flaw that allows a user with permission to manage team or organization security settings to enable mandatory two-factor authentication for all team members without first enabling 2FA on their own account.

Risk Assessment

The failure to verify the initiator's 2FA status before allowing policy changes leads to inconsistent security enforcement, which may result in administrative misuse and lockout risks for team members.

Recommendation

It is recommended to upgrade to version 12.128.2 or later and implement additional controls to ensure that users must first enable 2FA on their accounts before making changes to security policy.

Original NVD description (English source)

Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organization security settings can enable mandatory two-factor authentication for all team members without first enabling 2FA on their own account. The application fails to verify the initiator's 2FA status before allowing the policy change, resulting in inconsistent security enforcement, potential administrative misuse, and lockout risk for team members.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS