| Title | documenso v2.11.0 Authentication Bypass |
|---|
| Description | A vulnerability in Documenso allows two-factor authentication (2FA) bypass through inconsistent authentication enforcement across login methods. When users authenticate using email/password credentials, 2FA verification is enforced as expected. However, when the same account authenticates through Google OAuth, the application grants full authenticated access without requiring the configured second authentication factor.
This vulnerability allows attackers who have obtained access to a victim’s linked Google account credentials, OAuth session, or federated authentication access to bypass the intended multi-factor authentication protection mechanism, resulting in unauthorized account access and reduced account security. The issue stems from authentication policy inconsistency between local and federated authentication flows.
|
|---|
| Source | ⚠️ https://github.com/documenso/documenso/issues/2758 |
|---|
| User | Jeetpal2007 (UID 98616) |
|---|
| Submission | 05/29/2026 09:37 (1 month ago) |
|---|
| Moderation | 06/28/2026 12:12 (1 month later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 374551 [Documenso up to 2.11.0 Google OAuth Login handle-oauth-callback-url.ts improper authentication] |
|---|
| Points | 20 |
|---|