Executive Summary

CVE-2026-56235 is a medium-severity vulnerability in Cap-go versions before 12.128.2 that involves an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics). These functions are accessible to the anon role without enforcing organization membership or permission checks.

An unauthenticated attacker using only the public Supabase API key (sb_publishable_*) can exploit this vulnerability to query arbitrary organization IDs and disclose cross-tenant usage telemetry data such as monthly active users (MAU), bandwidth, installs, and gets. The attacker can also enumerate app IDs for a target organization and determine whether an organization exists by using an oracle: valid organizations return metrics, while invalid ones return an empty list.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive organizational data across tenants. An attacker can access usage telemetry data including monthly active users, bandwidth consumption, install counts, and app IDs for any organization without authentication.

Additionally, the vulnerability allows attackers to enumerate organizations by determining their existence through the response behavior of the affected RPC functions. This can lead to privacy violations and potential targeted attacks based on the exposed information.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to call the affected Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) using the public Supabase API key (sb_publishable_*) without authentication.

If these functions return usage telemetry data (such as MAU, bandwidth, installs, gets) for arbitrary org_id values without enforcing permission checks, it indicates the presence of the vulnerability.

A possible detection command could be an HTTP request to the Supabase API endpoint invoking one of these RPC functions with different org_id parameters to check if data is returned without authentication.

• Example curl command to test get_app_metrics RPC function:
• curl -X POST https://your-supabase-instance/rest/v1/rpc/get_app_metrics -H "apikey: sb_publishable_*" -H "Content-Type: application/json" -d '{"org_id":"some-org-id"}'

If the response returns metrics data for arbitrary org_id values without requiring authentication or proper permission checks, the vulnerability exists.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade Cap-go to version 12.128.2 or later, where this authorization bypass vulnerability has been patched.

Until the upgrade can be applied, restrict access to the affected RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) to authenticated users with proper permission checks, and avoid exposing these functions to the anon role.

Additionally, monitor API usage for suspicious queries using the public API key that attempt to access metrics for arbitrary org_id values.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-56235 allows unauthorized disclosure of sensitive organizational telemetry data across tenants, including usage metrics and app identifiers, without proper authorization checks.

Such unauthorized access to potentially sensitive data could lead to violations of data protection regulations like GDPR or HIPAA, which require strict controls on access to personal or organizational data and mandate protection against unauthorized disclosure.

By enabling cross-tenant data exposure and organization enumeration, this vulnerability increases the risk of non-compliance with these standards, as it undermines confidentiality and access control requirements.

Useful 0 Not Useful 0