Executive Summary

CVE-2026-56337 is an information disclosure vulnerability in Capgo versions before 12.128.2. It exists in the public.exist_app_v2 RPC function, which is marked as SECURITY DEFINER and accessible to unauthenticated users.

This vulnerability allows remote attackers to send POST requests with arbitrary appid parameters to the /rest/v1/rpc/exist_app_v2 endpoint. The function then reveals whether specific app_ids exist in the public.apps table.

Because the function bypasses Row-Level Security and returns a boolean indicating app existence, attackers can enumerate app_ids across tenants, leading to privacy violations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthenticated attackers to enumerate app_ids across different tenants in Capgo.

Such cross-tenant app enumeration can lead to privacy violations by exposing the existence of applications that should remain confidential.

Attackers could use this information to build organizational or application graphs, potentially aiding further targeted attacks or reconnaissance.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to call the vulnerable RPC function exist_app_v2 with arbitrary appid parameters via a POST request to /rest/v1/rpc/exist_app_v2 and observing the response.

A simple detection command using curl could be:

• curl -X POST https://<target-host>/rest/v1/rpc/exist_app_v2 -H "Content-Type: application/json" -d '{"appid":"test_app_id"}'

If the response returns a boolean indicating whether the app_id exists, it confirms the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include revoking the anon role's access to the exist_app_v2 RPC function or modifying the function so that it does not reveal the existence status of app_ids.

Specifically, you can:

• Revoke or restrict anon role permissions on the exist_app_v2 function to prevent unauthenticated access.
• Modify the exist_app_v2 function to return a constant response that does not disclose whether an app_id exists.
• Ensure proper authorization checks are enforced on the RPC function to prevent cross-tenant app enumeration.

Upgrading to Capgo version 12.128.2 or later, where this vulnerability is fixed, is also recommended.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to enumerate app_ids across tenants, leading to privacy violations by exposing the existence of specific applications in the public.apps table.

Such unauthorized information disclosure can impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring privacy.

By enabling cross-tenant app enumeration, the vulnerability could facilitate unauthorized data mapping or profiling, which may violate principles of data minimization and confidentiality mandated by these standards.

Useful 0 Not Useful 0