Executive Summary

CVE-2026-56248 is an unauthenticated denial-of-service (DoS) vulnerability in Cap-go's capgo-backend versions before 12.128.12. It arises from a flaw in the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST API. The PostgreSQL query planner executes resource-intensive operations before rejecting unauthorized queries, causing statement timeouts when querying the public.audit_logs endpoint using the public anon key.

Under concurrent access, this behavior exhausts database resources, leading to cascading HTTP 500 errors on unrelated endpoints (such as /orgs), effectively causing an application-layer denial of service.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can severely impact service availability by allowing unauthenticated attackers to exhaust database resources through repeated queries to the audit_logs table. This results in statement timeouts and cascading HTTP 500 errors on unrelated endpoints, causing service degradation or full service disruption.

• Reduced availability of the affected application.
• Cascading failures on unrelated API endpoints.
• Potential full denial of service at the application layer.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by observing repeated statement timeouts (PostgreSQL error 57014) when querying the public.audit_logs endpoint via the Supabase PostgREST API using the public anon key.

Specifically, unauthenticated queries to the audit_logs table that consistently result in HTTP 500 errors or statement timeouts indicate the presence of this issue.

A practical detection method is to perform an unauthenticated query to the public.audit_logs endpoint and monitor for timeouts or HTTP 500 errors.

• Use a command like: curl -X GET "https://<your-capgo-instance>/rest/v1/public.audit_logs" -H "apikey: anon"
• If the query consistently times out or returns HTTP 500 errors, this indicates the vulnerability is present.

Additionally, monitoring your database logs for frequent statement cancellations due to timeouts (error 57014) and observing cascading HTTP 500 errors on unrelated endpoints (e.g., /orgs) under concurrent access can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves upgrading capgo-backend to version 12.128.12 or later, where this vulnerability has been addressed.

Until an upgrade is possible, restrict or disable unauthenticated access to the public.audit_logs endpoint to prevent unauthenticated queries using the public anon key.

Implement rate limiting or throttling on queries to the audit_logs endpoint to reduce the risk of resource exhaustion.

Monitor your system for unusual spikes in database resource consumption and HTTP 500 errors on unrelated endpoints, and respond promptly to such incidents.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0