CVE-2026-56284 in capgoinfo

Summary

by MITRE • 07/08/2026

Capgo (Cap-go/capgo) before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST RPC function public.get_total_metrics(org_id), which is callable by the anon role using only the public sb_publishable_* key. An unauthenticated attacker can probe organization existence and leak sensitive usage metrics including MAU, bandwidth, and install counts by sending POST requests to /rest/v1/rpc/get_total_metrics with valid organization UUIDs.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability in Capgo versions prior to 12.128.2 represents a critical information disclosure flaw that undermines the security posture of the Supabase-based application architecture. This weakness resides within the PostgREST RPC function named public.get_total_metrics, which is exposed through the anonymous role access mechanism. The system configuration allows any unauthenticated entity to leverage the publicly accessible sb_publishable_* keys to invoke this function, creating an unauthorized data leakage pathway that directly violates fundamental security principles of least privilege and access control.

The technical implementation of this vulnerability stems from improper authorization controls within the Supabase PostgREST framework where the public.get_total_metrics function lacks adequate security checks before returning sensitive metrics data. The anon role, which typically represents unauthenticated users in Supabase environments, is granted access to this specific RPC endpoint through the publishable key mechanism. This configuration enables attackers to systematically probe for valid organization identifiers and retrieve comprehensive usage analytics including monthly active users metrics, bandwidth consumption data, and application installation counts without requiring any authentication credentials or privileged access rights.

The operational impact of this vulnerability extends beyond simple information leakage, as it provides attackers with valuable intelligence about system usage patterns and organizational activity levels. The ability to determine which organizations exist within the system creates opportunities for targeted attacks and reconnaissance activities that could lead to more sophisticated exploitation attempts. This type of vulnerability directly relates to CWE-200, Information Exposure, and aligns with ATT&CK technique T1589.002, Obtain Capabilities, where adversaries gather information about target systems to plan further operations. The exposure of bandwidth metrics particularly raises concerns for organizations that may be subject to usage-based billing or have sensitive operational requirements that could be compromised through such data leakage.

Organizations utilizing Capgo should immediately implement mitigations including restricting access to the get_total_metrics RPC endpoint by removing anonymous access permissions, implementing proper authentication requirements for metric retrieval, and ensuring that publishable keys are not used for operations that expose sensitive organizational data. The recommended approach involves configuring Supabase Row Level Security policies to prevent unauthorized access to metrics functions while maintaining legitimate functionality for authenticated users. Additionally, organizations should conduct comprehensive audits of their Supabase configurations to identify similar exposure vulnerabilities in other RPC endpoints or database functions that may be accessible through anonymous roles. This vulnerability demonstrates the critical importance of proper access control implementation in cloud-based applications and serves as a reminder that even seemingly innocuous data exposure can provide attackers with valuable reconnaissance information for more advanced attack vectors.

Responsible

VulnCheck

Reservation

06/20/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!