Executive Summary

CVE-2026-56214 is an information disclosure vulnerability in Capgo versions before 12.128.2. It affects the Supabase PostgREST RPC endpoints named is_trial_org and is_paying_org. These endpoints can be invoked by unauthenticated attackers using the public sb_publishable key to enumerate organizations and disclose their billing status.

Specifically, attackers can determine if an organization exists by observing distinguishable return values from the is_trial_org endpoint, which returns 0 for existing organizations and null for non-existent ones. They can also identify whether an organization is paying or not by querying the is_paying_org endpoint, which returns true or false accordingly.

This vulnerability allows attackers to profile organizations without authentication, exposing sensitive information about organization existence and billing status.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthenticated attackers to enumerate your organization's existence and billing status. This can lead to targeted profiling of paying customers, potentially exposing sensitive business information.

Such information disclosure can be exploited for competitive intelligence, phishing, or other malicious activities aimed at your organization or its customers.

Because the vulnerability does not require authentication, it increases the risk of unauthorized data exposure and may undermine trust in your services.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to invoke the Supabase PostgREST RPC endpoints is_trial_org and is_paying_org using the public sb_publishable key without authentication.

Specifically, you can send requests to these endpoints and observe their return values to determine if organization enumeration and billing status disclosure is possible.

• Invoke the is_trial_org endpoint with an organization ID; a return value of 0 indicates the organization exists, while null indicates it does not.
• Invoke the is_paying_org endpoint with an organization ID; it returns true or false indicating the billing status.

Example commands using curl might look like:

• curl -X POST https://<capgo-instance>/rpc/is_trial_org -H "apikey: <public_sb_publishable_key>" -d '{"org_id": "<organization_id>"}'
• curl -X POST https://<capgo-instance>/rpc/is_paying_org -H "apikey: <public_sb_publishable_key>" -d '{"org_id": "<organization_id>"}'

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the is_trial_org and is_paying_org RPC endpoints to authenticated users only.

Ensure these endpoints require privileged credentials and are not accessible via the public sb_publishable key.

Updating Capgo to version 12.128.2 or later, where this vulnerability is fixed, is strongly recommended.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to enumerate organizations and disclose billing status information, which constitutes exposure of sensitive information to unauthorized actors.

Such unauthorized disclosure of organizational and billing data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and disclosure.

Specifically, the exposure of billing status and organization existence information may violate principles of data confidentiality and privacy mandated by these standards.

Useful 0 Not Useful 0