CVE-2026-56302
Received Received - Intake
Unsecured Images Bucket in Capgo Allows Icon Deletion and Data Leak

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: VulnCheck

Description
Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delete all icons and leak sensitive app IDs and user IDs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-56302
EUVD
EUVD-2026-38749
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)
cap-go capgo to 12.128.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56302 is a vulnerability in Capgo versions before 12.128.2 involving an unsecured Supabase images bucket used for storing app icons.

The bucket lacks Row-Level Security (RLS), which means unauthenticated attackers can read, insert, and delete stored app icons without any restrictions.

Remote attackers can exploit this misconfiguration to delete all app icons and leak sensitive information such as app IDs and user IDs.

Compliance Impact

The vulnerability allows unauthenticated attackers to read and leak sensitive app IDs and user IDs due to lack of row level security controls on the images bucket.

This exposure of sensitive user information could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access.

Additionally, the ability to delete stored app icons impacts data integrity, which is also a concern under these standards.

Impact Analysis

This vulnerability can lead to the loss of data confidentiality and integrity by exposing sensitive app IDs and user IDs to unauthorized parties.

Attackers can also delete all stored app icons, potentially disrupting the visual representation of apps, although the data is backed up.

The attack requires no privileges, user interaction, or complex steps, making it easy for remote attackers to exploit.

Detection Guidance

This vulnerability involves an unsecured Supabase images bucket lacking Row-Level Security (RLS), which allows unauthenticated access to read, insert, and delete stored app icons.

To detect this vulnerability on your system, you should check the security configuration of the Supabase images bucket used by Capgo, specifically verifying if Row-Level Security is enabled.

Suggested commands or steps include:

  • Use Supabase CLI or SQL queries to check if RLS is enabled on the images bucket, for example: `SELECT relrowsecurity FROM pg_class WHERE relname = 'images';`
  • Attempt unauthenticated access to the images bucket API endpoints to see if you can read or modify stored app icons.
  • Review the bucket's access policies and permissions via Supabase dashboard or API.
Mitigation Strategies

Immediate mitigation steps include enabling Row-Level Security (RLS) on the Supabase images bucket to restrict unauthorized access.

Additionally, upgrade Capgo to version 12.128.2 or later, where this vulnerability has been fixed.

Review and tighten access control policies on the images bucket to prevent unauthenticated read, insert, or delete operations.

Monitor the bucket for any unauthorized access or changes to stored app icons.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56302. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart