Improper Authentication in Documenso via Google OAuth Login

Executive Summary

This vulnerability in Documenso (CVE-2026-13543) is a two-factor authentication (2FA) bypass that occurs during Google OAuth login. The application fails to enforce 2FA when users authenticate via Google OAuth, even if 2FA is enabled for their account. This means an attacker who can compromise a user's OAuth Identity Provider (such as Google) can bypass the 2FA protection entirely and gain full authenticated access to the account.

The issue arises because 2FA enforcement is only applied during email/password logins, not OAuth-based logins. A fix has been proposed that intercepts the OAuth callback, stores the user ID securely, and requires a valid 2FA code before completing login.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a bypass of two-factor authentication (2FA) when users log in via Google OAuth in the Documenso application. Detection would involve monitoring authentication flows to identify if OAuth logins are bypassing 2FA enforcement.

Specifically, you can look for OAuth login attempts that do not trigger 2FA verification steps. Network or system logs showing successful OAuth logins without subsequent 2FA challenges may indicate exploitation.

Since the vulnerability is related to the OAuth callback handling in the application, commands or tools that inspect authentication logs or monitor OAuth callback URLs could be useful.

• Check application logs for OAuth login events that do not have corresponding 2FA verification entries.
• Use network monitoring tools (e.g., tcpdump, Wireshark) to capture traffic to the OAuth callback URL and verify if 2FA steps are enforced.
• If the application logs are accessible, grep for OAuth callback URL accesses and check if 2FA verification endpoints are triggered afterwards, for example:
• grep 'handle-oauth-callback-url' /path/to/logs | grep -v '2fa-verification'
• Monitor for suspicious login patterns where OAuth logins succeed without 2FA prompts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to apply the patch provided in the pull request that fixes the OAuth 2FA bypass vulnerability.

This fix enforces 2FA during OAuth logins by intercepting the OAuth callback, storing the user ID in an encrypted cookie, and redirecting users to a dedicated 2FA verification endpoint before completing login.

Until the patch is applied, consider temporarily disabling OAuth login methods or enforcing additional monitoring and alerting on OAuth logins to detect potential bypass attempts.

• Apply the patch from the pull request at https://github.com/documenso/documenso/pull/2837.
• If patching immediately is not possible, disable Google OAuth login to prevent bypassing 2FA.
• Increase monitoring of authentication logs for suspicious OAuth login activity.
• Inform users about the risk and encourage vigilance for unauthorized access.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to bypass two-factor authentication and gain unauthorized access to user accounts in Documenso if they can compromise the user's OAuth Identity Provider account (e.g., Google).

Such unauthorized access can lead to exposure of sensitive information, unauthorized actions within the application, and potential compromise of the affected system or data.

Useful 0 Not Useful 0