Cap-Go Capgo vulnerabilities
13 known vulnerabilities affecting cap-go/capgo.
Total CVEs
13
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH4MEDIUM7
Vulnerabilities
Page 1 of 1
CVE-2026-56073P2CRITICALCVSS 9.4fixed in 12.128.22026-06-19
CVE-2026-56073 [CRITICAL] CWE-345 CVE-2026-56073: Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allo
Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful, enabling unauthorized 2FA enablement and account takeov
nvd
CVE-2026-56081P2CRITICALCVSS 9.1fixed in 12.128.22026-06-19
CVE-2026-56081 [CRITICAL] CWE-640 CVE-2026-56081: Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and cont
Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account claimed under the victim's identity, allowing them to re
nvd
CVE-2026-56245P3HIGHCVSS 8.2fixed in 12.128.22026-06-24
CVE-2026-56245 [HIGH] CWE-269 CVE-2026-56245: Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINE
Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function that allows unauthenticated attackers to insert arbitrary build-time records. Attackers can exploit this by calling POST /rest/v1/rpc/record_build_time with a public API key to poison billing and quota data for any organ
nvd
CVE-2026-56082P3HIGHCVSS 7.5fixed in 12.128.22026-06-19
CVE-2026-56082 [HIGH] CWE-284 CVE-2026-56082: Capgo (Cap-go/capgo) before 12.128.2 contains an improper access control vulnerability in the SECURI
Capgo (Cap-go/capgo) before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST RPC function public.record_build_time, which is granted to the anon role and callable with only the public Supabase publishable (sb_publishable_*) anon key. An unauthenticated attacker can insert rows into public.build_logs for arbi
nvd
CVE-2026-56221P3MEDIUMCVSS 6.5fixed in 12.128.22026-06-22
CVE-2026-56221 [MEDIUM] CWE-89 CVE-2026-56221: Cap-go before 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-c
Cap-go before 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization. Authenticated users with read-level API key permissions can inject arbitrary SQL through deviceIds, search, version_name
nvd
CVE-2026-56248P3HIGHCVSS 7.5fixed in 12.128.122026-06-23
CVE-2026-56248 [HIGH] CWE-400 CVE-2026-56248: Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerab
Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST API. Because the PostgreSQL query planner executes costly logic before RLS rejection, unfiltered queries to the public.audit_logs endpoint
nvd
CVE-2026-56280P3HIGHCVSS 7.1fixed in 12.128.22026-06-22
CVE-2026-56280 [HIGH] CWE-862 CVE-2026-56280: Cap-go before 12.128.2 contains a privilege inversion vulnerability in GET /build/logs/:jobId that a
Cap-go before 12.128.2 contains a privilege inversion vulnerability in GET /build/logs/:jobId that allows read-only API key holders to cancel running native builds. The endpoint registers an abort listener on the SSE stream that unconditionally invokes cancelBuildOnDisconnect() using the privileged server-side BUILDER_API_KEY when clients disconnect,
nvd
CVE-2026-53982P3MEDIUMCVSS 6.5fixed in 12.28.22026-06-12
CVE-2026-53982 [MEDIUM] CWE-645 CVE-2026-53982: Cap-go Console < 12.28.2 contains a denial-of-service vulnerability in its account deletion flow tha
Cap-go Console < 12.28.2 contains a denial-of-service vulnerability in its account deletion flow that allows an attacker to block authentication and onboarding functions by triggering account deletion while a device identifier is linked to the active session. The platform incorrectly associates the deletion state with the device identifier, causing
nvd
CVE-2026-56235P3MEDIUMCVSS 5.3fixed in 12.128.22026-06-20
CVE-2026-56235 [MEDIUM] CWE-200 CVE-2026-56235: Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC func
Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public Supabase API key (sb_publishable_*) can query arb
nvd
CVE-2026-56316P4MEDIUMCVSS 5.3fixed in 12.128.22026-06-21
CVE-2026-56316 [MEDIUM] CWE-203 CVE-2026-56316: Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload
Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies. Attackers can probe the endpoint without authentication to distinguish valid job IDs from invalid ones and generate
nvd
CVE-2026-56080P4MEDIUMCVSS 4.9fixed in 12.128.22026-06-19
CVE-2026-56080 [MEDIUM] CWE-287 CVE-2026-56080: Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin en
Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not update the password-compliance state. As a result, the backend continues to treat the account as non-compliant and repeatedly forces password-reset promp
nvd
CVE-2026-56310P4MEDIUMCVSS 4.3fixed in 12.128.22026-06-24
CVE-2026-56310 [MEDIUM] CWE-285 CVE-2026-56310: Cap-go before 12.128.2 contains an authorization bypass vulnerability in the GET /organization/membe
Cap-go before 12.128.2 contains an authorization bypass vulnerability in the GET /organization/members endpoint that allows org-limited API keys to bypass limited_to_orgs restrictions. Attackers with org-limited API keys can read membership data including uid, email, image_url, role, and is_tmp from organizations outside their assigned scope.
nvd
CVE-2026-56307P4MEDIUMCVSS 4.3fixed in 12.128.122026-06-20
CVE-2026-56307 [MEDIUM] CWE-670 CVE-2026-56307: Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices en
Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.read_devices access can exploit non-advancing cursor filters to trigger infinite pagination loo
nvd