CVE-2026-56294 | capacitor-native-biometric before 12.128.2 contains an authe… | CVSS 4.8 MEDIUM

Description

capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic instrumentation to bypass biometric authentication without valid credentials.

Metadata

CVE ID: CVE-2026-56294
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 12:49 UTC
Published: 2026-06-20 15:24 UTC
Last updated: 2026-06-20 15:24 UTC
Primary CWE: CWE-287
Improper Authentication
Vendor / Product: capacitor-native-biometric / capacitor-native-biometric
Sources: cve.org · NVD

Severity & Metrics

4.8 MEDIUM CVSS 3.1

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Affected products (1)

Vendor	Product	Platform	Versions
capacitor-native-biometric	capacitor-native-biometric	—	0 < 12.128.2, 12.128.2

Weakness (CWE)

CWE	Source	Description
CWE-287	cna	Improper Authentication

CVSS scores (2)

Score	Severity	Version	Source	Vector
4.8	MEDIUM	3.1	cna	CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
4.3	MEDIUM	4.0	cna	CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

References (2)

GHSA Advisory GHSA-vx5f-vmr6-32wf https://github.com/Cap-go/capgo/security/advisories/GHSA-vx5f-vmr6-32wf
VulnCheck Advisory: capacitor-native-biometric - Authentication Bypass via Unvalidated CryptoObject in onAuthenticationSucceeded https://www.vulncheck.com/advisories/capacitor-native-biometric-authentication-bypass-via-unvalidated-cryptoobject-in-onauthenticationsucceeded