CVE-2026-56235
published 2026-06-20CVE-2026-56235: Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics…
PriorityP335medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.27%
19.1th percentile
Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public Supabase API key (sb_publishable_*) can query arbitrary org_id values to disclose cross-tenant usage telemetry (MAU, bandwidth, installs, gets), enumerate app IDs for a target org, and determine org existence via an oracle (valid org returns metrics, invalid returns []).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cap-go | capgo | < 12.128.2 | 12.128.2 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) that are granted to the anon role wit
ghsa_unreviewed·2026-06-20
CVE-2026-56235 [MEDIUM] CWE-200 Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) that are granted to the anon role wit
Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public Supabase API key (sb_publishable_*) can query arbitrary org_id values to disclose cross-tenant usage telemetry (MAU, bandwidth, installs, gets), enumerate app IDs for a target org, and determine org existence via an oracle (valid org returns metrics, invalid returns []).
VulDB
Cap-go capgo up to 12.128.1 Public Supabase API information disclosure (GHSA-gfpq-vphf-6gcm / EUVD-2026-38117)
vuldb·2026-06-20·CVSS 5.3
CVE-2026-56235 [MEDIUM] Cap-go capgo up to 12.128.1 Public Supabase API information disclosure (GHSA-gfpq-vphf-6gcm / EUVD-2026-38117)
A vulnerability was found in Cap-go capgo up to 12.128.1. It has been rated as problematic. The impacted element is an unknown function of the component Public Supabase API. The manipulation leads to information disclosure.
This vulnerability is listed as CVE-2026-56235. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-20
Published