CVE-2026-56294

capacitor-native-biometric - Authentication Bypass via Unvalidated CryptoObject in onAuthenticationSucceeded

CVSS 4.3 MEDIUMEPSS 0.2%CWE-287

capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic instrumentation to bypass biometric authentication without valid credentials.

CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

capacitor-native-biometric · capacitor-native-biometric

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/Cap-go/capgo/security/advisories/GHSA-vx5f-vmr6-32wf https://www.vulncheck.com/advisories/capacitor-native-biometric-authentication-bypass-via-unvalidated-cryptoobject-in-onauthenticationsucceeded