CVE-2026-56294
Deferred Deferred - Pending Action

Biometric Authentication Bypass in Capacitor Native Biometric

Vulnerability report for CVE-2026-56294, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-20

Last updated on: 2026-06-22

Assigner: VulnCheck

Description

capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic instrumentation to bypass biometric authentication without valid credentials.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-20
Last Modified
2026-06-22
Generated
2026-07-11
AI Q&A
2026-06-20
EPSS Evaluated
2026-07-09
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cap-go capacitor-native-biometric to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56294 is an authentication bypass vulnerability in the capacitor-native-biometric library versions before 12.128.2. The vulnerability occurs because the onAuthenticationSucceeded() method does not properly validate the CryptoObject parameters. Attackers can exploit this by hooking the onAuthenticationSucceeded() function using dynamic instrumentation tools like Frida, allowing them to bypass biometric authentication without providing valid credentials.

Impact Analysis

This vulnerability allows attackers to bypass biometric authentication mechanisms, potentially granting unauthorized access to applications or systems that rely on the capacitor-native-biometric library for biometric security. This means that an attacker could gain access without valid biometric credentials, compromising the security of the affected system.

Detection Guidance

This vulnerability can be detected by checking if the cap-go/capacitor-native-biometric library version in use is prior to 12.128.2, as those versions contain the authentication bypass flaw.

Detection can also involve monitoring for dynamic instrumentation or hooking attempts on the onAuthenticationSucceeded() function, which attackers use to bypass biometric authentication.

A practical approach is to use dynamic analysis tools such as Frida to test if the onAuthenticationSucceeded() method can be hooked and manipulated to bypass authentication.

  • Check the installed version of capacitor-native-biometric to confirm if it is older than 12.128.2.
  • Use Frida scripts to attempt hooking the onAuthenticationSucceeded() function and observe if authentication can be bypassed.
Mitigation Strategies

The immediate mitigation step is to upgrade the capacitor-native-biometric library to version 12.128.2 or later, where the vulnerability has been patched.

Avoid using versions prior to 12.128.2 in production environments to prevent exploitation of the authentication bypass.

Additionally, monitor for suspicious dynamic instrumentation activities such as hooking attempts on authentication functions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56294. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart