CVE-2026-56339 in capgoinfo

Summary

by MITRE • 07/15/2026

Capgo (Cap-go/capgo) before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST SECURITY DEFINER RPC function public.rescind_invitation that allows unauthenticated attackers to enumerate organization existence. The function returns distinct error messages (NO_ORG vs NO_RIGHTS) when called with only a publishable API key, enabling attackers to discover valid organization IDs and increase the attack surface for targeted phishing or social engineering campaigns.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability in Capgo versions prior to 12.128.2 represents a critical information disclosure weakness that directly impacts the security posture of organizations relying on the platform's Supabase PostgREST integration. This issue specifically affects the public.rescind_invitation function which operates under a SECURITY DEFINER context, creating an unintended attack vector for unauthenticated threat actors seeking to discover valid organization identifiers within the system. The flaw stems from the function's implementation pattern where it provides distinct error responses based on the type of validation failure encountered during execution.

The technical exploitation of this vulnerability occurs through careful observation of error message variations that are returned when the RPC function is invoked with only a publishable API key rather than proper authentication credentials. When attackers submit requests to the public.rescind_invitation endpoint, they receive specific error responses indicating either NO_ORG or NO_RIGHTS conditions. These distinguishable error messages create a systematic pattern that allows adversaries to perform organization enumeration attacks, effectively mapping valid organization IDs within the system without requiring any legitimate access credentials.

This information disclosure vulnerability directly maps to CWE-200, which addresses the improper exposure of sensitive information, and represents a significant deviation from secure coding practices for API endpoint design. The operational impact extends far beyond simple data leakage, as successful enumeration enables attackers to conduct targeted phishing campaigns or social engineering operations against specific organizations that are known to be present in the Capgo platform ecosystem. Threat actors can leverage this intelligence to craft more convincing attacks and increase their success rates in compromising legitimate users.

The security implications of this vulnerability are particularly concerning given the nature of cloud-based development platforms where organization identifiers often serve as primary targets for reconnaissance activities. The lack of proper error handling and the absence of consistent response patterns when authentication fails creates a predictable information leakage channel that undermines the platform's overall security architecture. This vulnerability demonstrates poor adherence to the principle of least privilege and inadequate input validation, both of which are fundamental requirements in secure application design.

Organizations should immediately implement mitigations including the patching of affected versions to 12.128.2 or later, where the error handling has been corrected to provide consistent responses regardless of whether an organization exists or not. Additionally, defensive measures such as rate limiting on API endpoints and enhanced monitoring for unusual query patterns can help detect and prevent enumeration attempts before they can be effectively exploited. The fix should ensure that all error responses from SECURITY DEFINER functions maintain consistent messaging patterns to prevent information leakage while preserving the intended functionality of the system.

This vulnerability also highlights the importance of proper security testing during development cycles, particularly for database integration points that handle authentication and authorization logic. The issue demonstrates how seemingly minor implementation details in error handling can create significant security implications when combined with the broader attack surface of cloud-based applications. Organizations should consider implementing automated security scanning tools that can identify similar patterns in their codebases to prevent future occurrences of this type of information disclosure vulnerability.

The remediation process should include comprehensive testing to ensure that all RPC functions within the Supabase PostgREST environment have consistent error handling behavior and that no additional functions exist with similar disclosure characteristics. Security teams should also review related database procedures and functions to identify any additional attack vectors that might expose organizational or user data through similar means. This vulnerability serves as a reminder that even well-established platforms can contain subtle security flaws that require continuous vigilance and proactive security measures to address effectively.

The ATT&CK framework categorizes this type of vulnerability under T1212 - Exploitation for Credential Access, where adversaries leverage information disclosure to gain insights necessary for subsequent attack phases. The consistent error messaging pattern creates a reconnaissance tool that can be automated and integrated into larger attack frameworks, making it particularly dangerous for organizations that rely heavily on the platform's security controls for protecting sensitive development environments and organizational data assets.

Organizations utilizing Capgo should conduct immediate risk assessments to determine if any unauthorized enumeration activities have occurred within their systems, while also implementing proper logging and monitoring mechanisms to detect similar exploitation attempts against other services. The vulnerability underscores the critical importance of maintaining up-to-date security patches and implementing comprehensive application security testing practices that include thorough examination of error handling and response patterns within database integration points.

Responsible

VulnCheck

Reservation

06/20/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!