Executive Summary

CVE-2026-56213 is an authorization bypass vulnerability in the Capgo project before version 12.128.2. It exists in the public.upsert_version_meta function, which is exposed via PostgREST RPC and runs with SECURITY DEFINER privileges. This function is accessible by the public anon role without proper authorization checks, allowing unauthenticated attackers to insert arbitrary rows into the version_meta table for any app_id or version_id.

Because the function bypasses Row-Level Security protections and lacks validation, attackers can poison storage metrics by injecting false data. This malicious data is then consumed by the metrics pipeline, causing persistent inaccuracies in dashboards, analytics, and triggering incorrect alerts across affected applications.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthenticated attackers to insert false data into your application's storage metrics. This leads to persistent poisoning of storage metrics, which can cause dashboards and analytics to display incorrect information.

As a result, automated alerts and monitoring systems that rely on these metrics may trigger false alarms or fail to detect real issues, potentially disrupting operations and decision-making processes.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring calls to the public.upsert_version_meta RPC endpoint exposed via PostgREST, especially those made using the public anon key. Unusual or unauthorized insertions into the version_meta table for any app_id may indicate exploitation.

To detect exploitation, you can query the version_meta table for unexpected or suspicious entries that do not correspond to legitimate app_ids or versions.

• Example SQL command to check for suspicious entries in version_meta: SELECT * FROM public.version_meta WHERE app_id NOT IN (SELECT app_id FROM authorized_apps);
• Monitor RPC calls to public.upsert_version_meta via PostgREST logs or network traffic for requests made with the anon role or public keys.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting EXECUTE permissions on the public.upsert_version_meta function to the service_role only, removing access from the public anon role.

Additionally, implement explicit authorization checks within the upsert_version_meta function to verify caller rights before allowing data insertion.

Enforce validation on input parameters such as size to prevent injection of malicious or malformed data.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to insert arbitrary data into storage metrics, causing persistent false data in dashboards and triggering incorrect alerts. While the CVE description and resources detail the technical impact and severity, there is no specific information provided about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0