Mitigation Strategies

To mitigate this vulnerability, you should upgrade Capgo to version 12.128.2 or later, where the issue is fixed.

Additionally, restrict access to webhook signing secrets by moving them to a separate table with stricter permissions or omitting them from queries accessible by non-admin API keys.

Ensure that row-level security policies on the webhooks table in Supabase REST are properly configured to prevent non-admin API keys from reading sensitive data.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-56244 is a vulnerability in Capgo versions before 12.128.2 where non-admin API keys can read webhook signing secrets via the Supabase REST API. This happens because of insufficient row-level security policies on the webhooks table, allowing attackers with read-only or non-admin API keys to access the secret used to sign webhook payloads.

With access to the webhook signing secret, attackers can forge valid X-Capgo-Signature headers and send authenticated webhook events that appear legitimate to configured receivers. This breaks the authenticity and integrity of webhook communications, potentially allowing unauthorized actions in downstream systems.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts by allowing attackers to impersonate legitimate webhook events. By forging valid signatures, attackers can send spoofed webhook payloads that appear authentic, potentially triggering unauthorized actions or workflows in your systems that rely on these webhooks.

Such unauthorized actions could lead to data manipulation, unauthorized access, or other security breaches depending on how webhook events are processed by your applications.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized access to sensitive webhook signing secrets, which can lead to the forging of authenticated webhook events. Such unauthorized disclosure and potential misuse of sensitive information can undermine data integrity and confidentiality controls required by common standards and regulations like GDPR and HIPAA.

By exposing sensitive information to unauthorized actors, the vulnerability may result in non-compliance with data protection requirements that mandate strict access controls and protection of sensitive data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves non-admin API keys being able to read webhook signing secrets via the Supabase REST API due to insufficient row-level security policies on the webhooks table.

To detect if your system is vulnerable, you can attempt to query the webhooks table using a non-admin API key with SELECT permissions to see if the webhook signing secret is accessible.

A suggested approach is to use API calls or commands that simulate a non-admin API key querying the webhooks table for the secret field.

• Use a REST API client (e.g., curl) with a non-admin API key to send a GET request to the Supabase REST endpoint for the webhooks table and check if the secret is returned.
• Example curl command: curl -H "apikey: NON_ADMIN_API_KEY" https://your-supabase-instance.supabase.co/rest/v1/webhooks
• If the response includes the webhook signing secret, your system is vulnerable.

Useful 0 Not Useful 0