CVE-2026-56311
Received Received - Intake
Authorization Bypass in Capgo via Public RPC Function

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: VulnCheck

Description
Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.get_current_plan_max_org RPC function that allows unauthenticated attackers to retrieve arbitrary organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase key to disclose billing information including MAU, bandwidth, storage, and build time limits for any organization.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-56311
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Capgo versions before 12.128.2 and involves an authorization bypass in the public.get_current_plan_max_org RPC function.

It allows unauthenticated attackers to retrieve arbitrary organization plan limits by calling the RPC endpoint with any organization UUID using only the public Supabase key.

As a result, attackers can disclose billing information such as monthly active users (MAU), bandwidth, storage, and build time limits for any organization.

Impact Analysis

The impact of this vulnerability is that unauthorized individuals can access sensitive billing information of any organization using the affected Capgo service.

This could lead to privacy concerns, competitive intelligence gathering, or other misuse of disclosed plan limits such as MAU, bandwidth, storage, and build time.

However, the vulnerability does not allow modification or disruption of data, only unauthorized disclosure of certain billing details.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56311. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart