Capgo prior to version 12.128.2 contains an authentication logic flaw that allows any user with permission to manage team or organization security settings to enable mandatory two‑factor authentication for all team members without first enabling two‑factor authentication on their own account. The application does not verify the initiator's 2FA status before making the policy change, resulting in inconsistent security enforcement, potential administrative misuse, and a risk of locking out legitimate users. This flaw represents a privilege‑management weakness (CWE‑269) that can undermine the integrity of the team’s authentication controls.

The vulnerability affects Capgo deployments running any version before 12.128.2. Users who have maintained older instances are at risk if they have granted themselves or others the ability to modify team or organization security settings. Upgrading to version 12.128.2 or later removes the flaw, as the patch introduces a check that ensures the initiator’s own account has two‑factor authentication enabled before they can alter the enforced‑2FA policy for other members.

The CVSS score of 5.1 indicates moderate severity, and the documented absence of a public exploit reduces immediate concern, though the flaw is exploitable by anyone who can obtain manager or organization‑level permissions. Because an attacker needs legitimate access with specific role privileges, the threat is limited to insider or compromised accounts, but the potential for lockout or policy disruption is significant. No EPSS score is available and the vulnerability has not been listed in CISA’s KEV catalog, so the likelihood of widespread attack is currently uncertain, but the impact on affected teams can be considerable if the flaw is abused.