CVE-2026-56321
Deferred Deferred - Pending Action

Authentication Bypass in Capgo Supabase Edge Functions

Vulnerability report for CVE-2026-56321, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: VulnCheck

Description

Capgo (backend Supabase edge functions) before 12.128.2 does not apply the global authentication middleware to the GET /private/role_bindings/:org_id endpoint, unlike the POST and DELETE role_bindings routes, so unauthenticated requests reach the handler instead of being rejected at the middleware layer. The handler still performs its own authorization check and returns Unauthorized, so no direct data exposure occurs; the flaw is inconsistent authentication enforcement across HTTP methods that could enable authorization bypass if the handler logic changes.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo supabase_edge_functions to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability involves the lack of global authentication middleware on the GET /private/role_bindings/:org_id endpoint in Capgo (backend Supabase edge functions) before version 12.128.2. To detect this on your system or network, you can attempt to send unauthenticated GET requests to this endpoint and observe the response behavior.

For example, you can use the following command to test if the endpoint improperly allows unauthenticated access:

  • curl -i -X GET https://<your-capgo-instance>/private/role_bindings/<org_id>

If the response returns a status code other than an authentication error (e.g., 401 Unauthorized), it may indicate the vulnerability is present. Note that the handler performs its own authorization check and returns Unauthorized, so the absence of middleware might not directly expose data but indicates inconsistent authentication enforcement.

Executive Summary

This vulnerability exists in Capgo (backend Supabase edge functions) versions before 12.128.2. The issue is that the global authentication middleware is not applied to the GET /private/role_bindings/:org_id endpoint, unlike the POST and DELETE role_bindings routes. As a result, unauthenticated requests can reach the handler for this GET endpoint instead of being blocked by the middleware.

Although the handler itself performs an authorization check and returns an Unauthorized response if the request is not authorized, the inconsistency in applying authentication middleware across HTTP methods could potentially allow an authorization bypass if the handler logic changes in the future.

Impact Analysis

The vulnerability could allow unauthenticated requests to reach the GET /private/role_bindings/:org_id endpoint handler. While the handler currently performs its own authorization checks and prevents direct data exposure by returning Unauthorized responses, the inconsistent enforcement of authentication middleware creates a risk.

If the handler's authorization logic is modified or bypassed in the future, this flaw could lead to an authorization bypass, potentially exposing sensitive information or allowing unauthorized actions.

Compliance Impact

This vulnerability involves inconsistent authentication enforcement on a specific endpoint, which could potentially enable authorization bypass if the handler logic changes. However, as described, no direct data exposure currently occurs because the handler performs its own authorization checks and returns Unauthorized for unauthenticated requests.

Given that no direct data exposure occurs at present, the vulnerability may not immediately violate compliance requirements such as GDPR or HIPAA. Nevertheless, the risk of authorization bypass could lead to unauthorized access in the future if the handler logic is modified, which could impact compliance with data protection standards that require strict access controls.

Therefore, while the current state does not directly breach common standards, the presence of this flaw represents a potential compliance risk that should be addressed to maintain adherence to regulations like GDPR and HIPAA.

Mitigation Strategies

To mitigate this vulnerability, update Capgo (backend Supabase edge functions) to version 12.128.2 or later, where the global authentication middleware is correctly applied to the GET /private/role_bindings/:org_id endpoint.

This ensures consistent authentication enforcement across all HTTP methods and prevents unauthenticated requests from reaching the handler.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56321. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart