Skip to content

CVE-2026-56256

is CVE-2026-56256real, exploitable, or a false positive? Here's the community verdict.

☆ Watch
High · CVSS 7.1CWE-602

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organization (ORG) management API endpoints (e.g., editing organization details, inviting users) do not validate 2FA completion on the backend. An authenticated Admin user who has not enabled 2FA can replay or modify a previously captured ORG API request to perform privileged organization actions, bypassing the globally enforced 2FA requirement.

References

NVD MITRE CVE.org

Published

Embed this verdict
TruePositive verdict for CVE-2026-56256
Markdown
[![TruePositive verdict](https://www.truepositive.app/cve/CVE-2026-56256/badge.svg)](https://www.truepositive.app/cve/CVE-2026-56256)
HTML
<a href="https://www.truepositive.app/cve/CVE-2026-56256"><img src="https://www.truepositive.app/cve/CVE-2026-56256/badge.svg" alt="TruePositive verdict for CVE-2026-56256"></a>

Live badge that updates automatically as the community verdict changes.

Community ground truth

In your experience, is this finding real and exploitable?

0 verdicts
Not a real issue

No account needed. Anonymous verdicts post as an unverified signal. Log in to make yours verified and earn reputation.

Field notes & remediation

Verdicts are the quick signal. Notes are the evidence and fixes behind them.

No notes yet. Be the first to share what you saw, or a fix that worked.

    Add a field note or remediationoptional
    Note type

    What are you adding?

    Markdown supported · minimum 20 characters.

    Related CVEs

    Same weakness: CWE-602.