CVE-2026-56311
Deferred Deferred - Pending Action

Authorization Bypass in Capgo via Public RPC Function

Vulnerability report for CVE-2026-56311, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.get_current_plan_max_org RPC function that allows unauthenticated attackers to retrieve arbitrary organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase key to disclose billing information including MAU, bandwidth, storage, and build time limits for any organization.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include revoking public access to the public.get_current_plan_max_org RPC function to prevent unauthenticated calls.

Additionally, implement proper authorization checks within the RPC function to ensure that only authorized users can access the organization's billing information.

Upgrading to Capgo version 12.128.2 or later, where this vulnerability is patched, is strongly recommended.

Compliance Impact

CVE-2026-56311 allows unauthenticated attackers to access sensitive billing information of any organization by bypassing authorization controls. This cross-tenant data disclosure could lead to unauthorized exposure of personal or organizational data, potentially violating data protection regulations such as GDPR or HIPAA that require strict access controls and protection of sensitive information.

The vulnerability exposes billing details including monthly active users, bandwidth, storage, and build time limits, which may be considered sensitive business information. Failure to prevent such unauthorized access could result in non-compliance with standards that mandate confidentiality and integrity of data.

Mitigating this vulnerability by applying the patch and implementing proper authorization checks is essential to maintain compliance with these regulations.

Detection Guidance

This vulnerability can be detected by attempting to call the public.get_current_plan_max_org RPC function with an arbitrary organization UUID using only the public Supabase key. If the call returns billing information such as monthly active users (MAU), bandwidth, storage, or build time limits without authentication, the system is vulnerable.

A suggested command to test this could be a direct RPC call to the Supabase endpoint, for example using curl or a similar HTTP client:

  • curl -X POST https://<your-supabase-url>/rest/v1/rpc/public.get_current_plan_max_org -H "apikey: <public-supabase-key>" -H "Content-Type: application/json" -d '{"uuid":"<organization-uuid>"}'

If this command returns sensitive plan limit data without requiring authentication, it indicates the vulnerability is present.

Executive Summary

This vulnerability exists in Capgo versions before 12.128.2 and involves an authorization bypass in the public.get_current_plan_max_org RPC function.

It allows unauthenticated attackers to retrieve arbitrary organization plan limits by calling the RPC endpoint with any organization UUID using only the public Supabase key.

As a result, attackers can disclose billing information such as monthly active users (MAU), bandwidth, storage, and build time limits for any organization.

Impact Analysis

The impact of this vulnerability is that unauthorized individuals can access sensitive billing information of any organization using the affected Capgo service.

This could lead to privacy concerns, competitive intelligence gathering, or other misuse of disclosed plan limits such as MAU, bandwidth, storage, and build time.

However, the vulnerability does not allow modification or disruption of data, only unauthorized disclosure of certain billing details.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56311. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart