CVE-2026-56226 in capgoinfo

Summary

by MITRE • 07/08/2026

Capgo (Cap-go/capgo) before 12.128.2 exposes the Supabase PostgREST RPC function public.get_orgs_v6(userid uuid), which is SECURITY DEFINER and granted to the anon role, allowing unauthenticated access. Because the function accepts a caller-supplied user UUID without verifying it matches the authenticated user, an attacker using only the public publishable API key can query POST /rest/v1/rpc/get_orgs_v6 with an arbitrary user UUID to retrieve that user's organization membership, roles, subscription/trial metadata, and management_email (PII).

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

This vulnerability represents a critical authorization flaw in the Capgo application ecosystem that stems from improper privilege management within the Supabase PostgREST RPC function implementation. The security issue manifests through the public.get_orgs_v6 function which operates with SECURITY DEFINER privileges and has been granted access to the anon role, effectively removing authentication requirements for accessing sensitive user data. The function accepts a userid parameter of type uuid that is passed directly from client requests without proper validation or authentication checks. This design flaw creates an arbitrary code execution vector where attackers can manipulate input parameters to gain unauthorized access to organization membership details, user roles, subscription information, trial metadata, and management email addresses.

The technical implementation demonstrates a classic case of insufficient input validation combined with improper privilege escalation mechanisms. When the function receives a userid parameter through the POST /rest/v1/rpc/get_orgs_v6 endpoint, it processes this value without verifying whether it corresponds to the currently authenticated user. This vulnerability directly maps to CWE-285 (Improper Authorization) and CWE-352 (Cross-Site Request Forgery) categories within the Common Weakness Enumeration framework. The attacker only requires the public publishable API key which is typically exposed in client-side applications, making this attack vector particularly dangerous as it does not require additional credentials or elevated privileges.

The operational impact of this vulnerability extends beyond simple data exposure to encompass significant privacy and security implications for affected users. Attackers can exploit this flaw to enumerate organization memberships across multiple user accounts, potentially identifying employee relationships within organizations, understanding user subscription patterns, and extracting personally identifiable information including management email addresses. This type of information disclosure aligns with ATT&CK technique T1087.001 (Account Discovery: Local Account) and T1566.001 (Phishing: Spearphishing Attachment) as it enables attackers to gather intelligence for targeted social engineering campaigns. The vulnerability also represents a data leak scenario under the MITRE ATT&CK framework where sensitive user information flows from protected systems to unauthorized parties.

Mitigation strategies should focus on implementing proper input validation and authentication checks within the Supabase function definitions, ensuring that all user-supplied UUID parameters are verified against the authenticated session context. Organizations must immediately restrict the permissions granted to the anon role and implement proper access controls for RPC functions, particularly those handling sensitive data. The fix requires modifying the SECURITY DEFINER function to validate that the provided userid parameter matches the authenticated user's identifier before executing the query. Additionally, organizations should review all Supabase RPC functions for similar privilege escalation issues and implement comprehensive logging to detect unauthorized access attempts. This vulnerability highlights the importance of following principle of least privilege in database function design and underscores the critical need for proper authentication verification in all data access points within serverless application architectures.

The exposure of management email addresses and subscription metadata creates additional risks for targeted attacks, as these details can be used to craft personalized phishing campaigns or identify potential targets for further exploitation. Organizations should conduct immediate security assessments of their Supabase implementations and review all RPC functions for similar authorization bypass vulnerabilities. This incident demonstrates the critical importance of implementing proper access controls in cloud-based database systems where public API keys are commonly exposed in client applications, making it essential to design security measures that protect against such scenarios even when authentication tokens are compromised.

Responsible

VulnCheck

Reservation

06/19/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!