Description
capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic instrumentation to bypass biometric authentication without valid credentials.
Published: 2026-06-20
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is located in the capacitor-native-biometric plugin, where the onAuthenticationSucceeded() method does not enforce validation of the CryptoObject that it receives. Attackers can exploit this by hooking into the method through dynamic instrumentation, enabling them to bypass biometric authentication without possessing valid credentials. Because the method can be invoked by an attacker who is already able to execute code on the device, this bypass compromises the integrity of the authentication flow, potentially allowing unauthorized access to protected application data or functions.

Affected Systems

Affected products include capacitor-native-biometric, with a known vulnerability in all releases prior to version 12.128.2. Users employing earlier versions of the plugin are at risk; no other vendors or products are identified as affected.

Risk and Exploitability

The low CVSS score reflects the limited reach of the flaw, but the potential impact on application credential integrity warrants attention, especially in high‑sensitivity environments.

Generated by OpenCVE AI on June 20, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade capacitor-native-biometric to version 12.128.2 or later, which implements proper CryptoObject validation in onAuthenticationSucceeded().
  • Disable or restrict dynamic instrumentation and debugging capabilities on the target devices to reduce the likelihood that an attacker can hook the vulnerable method. This can be achieved by enforcing device management policies that block root access, disabling adb over network, or using secure application variants where instrumentation is prohibited.
  • Implement monitoring or logging around biometric authentication events to detect anomalous invocations of onAuthenticationSucceeded() that may indicate misuse or tampering.

Generated by OpenCVE AI on June 20, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic instrumentation to bypass biometric authentication without valid credentials.
Title capacitor-native-biometric - Authentication Bypass via Unvalidated CryptoObject in onAuthenticationSucceeded
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 4.3, 'vector': 'CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T15:24:45.431Z

Reserved: 2026-06-20T12:49:17.829Z

Link: CVE-2026-56294

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T17:30:08Z

Weaknesses