CVE-2026-56212

CVE-2026-56212 is a low-severity vulnerability with a CVSS 3.x base score of 3.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-269.

Key facts

Description

Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organization security settings can enable mandatory two-factor authentication for all team members without first enabling 2FA on their own account. The application fails to verify the initiator's 2FA status before allowing the policy change, resulting in inconsistent security enforcement, potential administrative misuse, and lockout risk for team members.

Frequently asked questions

What is CVE-2026-56212?
Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organization security settings can enable mandatory two-factor authentication for all team members without first enabling 2FA on their own account. The application fails to verify the initiator's 2FA status before allowing the policy change, resulting in inconsistent security enforcement, potential administrative misuse, and lockout risk for team members.
How severe is CVE-2026-56212?
CVE-2026-56212 has a CVSS 3.x base score of 3.8, rated low severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability none.
Is CVE-2026-56212 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (11th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2026-56212?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-56212 have an EU (EUVD) identifier?
Yes. CVE-2026-56212 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-38098.
When was CVE-2026-56212 published?
CVE-2026-56212 was published on 2026-06-20 and last updated on 2026-06-23.

References

Other CWE-269 (Improper Privilege Management) vulnerabilities

Browse all CWE-269 (Improper Privilege Management) vulnerabilities →