Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive organization management API endpoints, such as editing organization details or inviting users, do not require verification of a completed 2FA challenge on the backend. As a result, an authenticated administrator who has not enabled 2FA can capture or replay a valid organization API request and modify it to perform privileged organization actions, effectively bypassing the globally enforced 2FA requirement. This flaw, a misdirected authentication check (CWE-602), allows the attacker to alter organization settings, invite new users, or otherwise influence privileged configuration without meeting the intended authentication controls.

The affected product is Capgo, specifically any deployment running a version earlier than 12.128.2. No additional product or vendor variants are mentioned, so the scope is limited to that platform and its organization management API.

The CVSS score of 7.1 indicates a moderate to high severity vulnerability, although the EPSS score is not available, preventing accurate estimation of the current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog, and no public exploitation evidence is reported. An attacker would need to first obtain valid admin credentials (or compromise them through social engineering or another vulnerability) and then replay or modify an organization API request. Because the flaw allows privileged actions to be performed without completing a 2FA step, the attack surface is confined to environments where administrators are not forced to use multi‑factor authentication, making the risk especially acute for organizations with lax 2FA enforcement on the backend.