Medium
resolved
resolved
2FA requirement bypass when inviting team members
Bug reported by Youssef AboHashish was disclosed at February 28, 2026, 8:55 pm | Improper Access Control - Generic
The application's requirement for users to enable 2FA before sending team invitations was bypassed by modifying client-side responses. This allowed invitations to be sent without enabling 2FA, defeating the security requirement.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
