CVE-2026-56294
Received Received - Intake
Biometric Authentication Bypass in Capacitor Native Biometric

Publication date: 2026-06-20

Last updated on: 2026-06-20

Assigner: VulnCheck

Description
capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic instrumentation to bypass biometric authentication without valid credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-20
Last Modified
2026-06-20
Generated
2026-06-20
AI Q&A
2026-06-20
EPSS Evaluated
N/A
NVD
CVE-2026-56294
EUVD
EUVD-2026-38121
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cap-go capacitor-native-biometric to 12.128.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56294 is an authentication bypass vulnerability in the capacitor-native-biometric library versions before 12.128.2. The vulnerability occurs because the onAuthenticationSucceeded() method does not properly validate the CryptoObject parameters. Attackers can exploit this by hooking the onAuthenticationSucceeded() function using dynamic instrumentation tools like Frida, allowing them to bypass biometric authentication without providing valid credentials.

Impact Analysis

This vulnerability allows attackers to bypass biometric authentication mechanisms, potentially granting unauthorized access to applications or systems that rely on the capacitor-native-biometric library for biometric security. This means that an attacker could gain access without valid biometric credentials, compromising the security of the affected system.

Detection Guidance

This vulnerability can be detected by checking if the cap-go/capacitor-native-biometric library version in use is prior to 12.128.2, as those versions contain the authentication bypass flaw.

Detection can also involve monitoring for dynamic instrumentation or hooking attempts on the onAuthenticationSucceeded() function, which attackers use to bypass biometric authentication.

A practical approach is to use dynamic analysis tools such as Frida to test if the onAuthenticationSucceeded() method can be hooked and manipulated to bypass authentication.

  • Check the installed version of capacitor-native-biometric to confirm if it is older than 12.128.2.
  • Use Frida scripts to attempt hooking the onAuthenticationSucceeded() function and observe if authentication can be bypassed.
Mitigation Strategies

The immediate mitigation step is to upgrade the capacitor-native-biometric library to version 12.128.2 or later, where the vulnerability has been patched.

Avoid using versions prior to 12.128.2 in production environments to prevent exploitation of the authentication bypass.

Additionally, monitor for suspicious dynamic instrumentation activities such as hooking attempts on authentication functions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56294. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart