Invia #842579: documenso v2.11.0 Authentication Bypassinformazioni

Titolodocumenso v2.11.0 Authentication Bypass
DescrizioneA vulnerability in Documenso allows two-factor authentication (2FA) bypass through inconsistent authentication enforcement across login methods. When users authenticate using email/password credentials, 2FA verification is enforced as expected. However, when the same account authenticates through Google OAuth, the application grants full authenticated access without requiring the configured second authentication factor. This vulnerability allows attackers who have obtained access to a victim’s linked Google account credentials, OAuth session, or federated authentication access to bypass the intended multi-factor authentication protection mechanism, resulting in unauthorized account access and reduced account security. The issue stems from authentication policy inconsistency between local and federated authentication flows.
Fonte⚠️ https://github.com/documenso/documenso/issues/2758
Utente
 Jeetpal2007 (UID 98616)
Sottomissione29/05/2026 09:37 (1 mese fa)
Moderazione28/06/2026 12:12 (1 month later)
StatoAccettato
Voce VulDB374551 [Documenso fino a 2.11.0 Google OAuth Login handle-oauth-callback-url.ts autenticazione debole]
Punti20

Interested in the pricing of exploits?

See the underground prices here!