← Back
2026-06-20 15:24CVE-2026-56294VulnCheck
PUBLISHED5.2CWE-287

capacitor-native-biometric - Authentication Bypass via Unvalidated CryptoObject in onAuthenticationSucceeded

capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic instrumentation to bypass biometric authentication without valid credentials.

Problem type

Affected products

capacitor-native-biometric

capacitor-native-biometric

< 12.128.2 - AFFECTED

12.128.2 - UNAFFECTED

References

GHSA Advisory GHSA-vx5f-vmr6-32wf

https://github.com/Cap-go/capgo/security/advisories/GHSA-vx5f-vmr6-32wf

vendor-advisory
VulnCheck Advisory: capacitor-native-biometric - Authentication Bypass via Unvalidated CryptoObject in onAuthenticationSucceeded

https://www.vulncheck.com/advisories/capacitor-native-biometric-authentication-bypass-via-unvalidated-cryptoobject-in-onauthenticationsucceeded

third-party-advisory

GitHub Security Advisories

GHSA-58pv-hg46-37r9

capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where...

https://github.com/advisories/GHSA-58pv-hg46-37r9

capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic instrumentation to bypass biometric authentication without valid credentials.

github.com

https://github.com/Cap-go/capgo/security/advisories/GHSA-vx5f-vmr6-32wf

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-56294

vulncheck.com

https://www.vulncheck.com/advisories/capacitor-native-biometric-authentication-bypass-via-unvalidated-cryptoobject-in-onauthenticationsucceeded

github.com

https://github.com/advisories/GHSA-58pv-hg46-37r9

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-56294
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-56294",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-06-20T15:24:45.431Z",
    "dateReserved": "2026-06-20T12:49:17.829Z",
    "datePublished": "2026-06-20T15:24:45.431Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-06-20T15:24:45.431Z"
      },
      "datePublic": "2026-02-10T00:00:00.000Z",
      "title": "capacitor-native-biometric - Authentication Bypass via Unvalidated CryptoObject in onAuthenticationSucceeded",
      "descriptions": [
        {
          "lang": "en",
          "value": "capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic instrumentation to bypass biometric authentication without valid credentials."
        }
      ],
      "affected": [
        {
          "vendor": "capacitor-native-biometric",
          "product": "capacitor-native-biometric",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "semver",
              "lessThan": "12.128.2"
            },
            {
              "version": "12.128.2",
              "status": "unaffected",
              "versionType": "semver"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Authentication",
              "cweId": "CWE-287",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-vx5f-vmr6-32wf",
          "name": "GHSA Advisory GHSA-vx5f-vmr6-32wf",
          "tags": [
            "vendor-advisory"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/capacitor-native-biometric-authentication-bypass-via-unvalidated-cryptoobject-in-onauthenticationsucceeded",
          "name": "VulnCheck Advisory: capacitor-native-biometric - Authentication Bypass via Unvalidated CryptoObject in onAuthenticationSucceeded",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "attackVector": "PHYSICAL",
            "attackComplexity": "HIGH",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "itz-d0dgy-2nd",
          "type": "finder"
        }
      ]
    }
  }
}