CVE-2026-56226
Deferred Deferred - Pending Action

Unauthenticated Access to User Data via Supabase PostgREST in Capgo

Vulnerability report for CVE-2026-56226, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

Capgo (Cap-go/capgo) before 12.128.2 exposes the Supabase PostgREST RPC function public.get_orgs_v6(userid uuid), which is SECURITY DEFINER and granted to the anon role, allowing unauthenticated access. Because the function accepts a caller-supplied user UUID without verifying it matches the authenticated user, an attacker using only the public publishable API key can query POST /rest/v1/rpc/get_orgs_v6 with an arbitrary user UUID to retrieve that user's organization membership, roles, subscription/trial metadata, and management_email (PII).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cap-go capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated attackers to access personally identifiable information (PII) such as management emails and sensitive organization data without authorization.

Exposure of PII and sensitive organizational information can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on unauthorized access to personal and sensitive data.

Because the vulnerability enables unauthorized disclosure of user-related data, it increases the risk of privacy violations and potential regulatory penalties.

Executive Summary

The vulnerability CVE-2026-56226 exists in Capgo versions before 12.128.2 and involves an exposed Supabase PostgREST RPC function named public.get_orgs_v6(userid uuid). This function is marked as SECURITY DEFINER and is granted to the anon role, allowing unauthenticated access.

Because the function accepts a user-supplied UUID without verifying it matches the authenticated user, an attacker can use the public publishable API key to query the function with any arbitrary user UUID. This lets the attacker retrieve sensitive information such as that user's organization membership, roles, subscription or trial metadata, and management email, which is personally identifiable information (PII).

The root cause is that the function runs with elevated privileges (SECURITY DEFINER) and grants all permissions to the anon role, enabling unauthorized data access.

Impact Analysis

This vulnerability allows unauthenticated attackers to access sensitive organization data of any user by supplying arbitrary user UUIDs. The exposed data includes organization membership, user roles, subscription or trial metadata, and management email addresses.

Such unauthorized access can lead to privacy violations, targeted social engineering attacks, and mapping of privileged users within organizations, increasing the risk of further exploitation.

Detection Guidance

This vulnerability can be detected by attempting to access the exposed RPC function get_orgs_v6(userid) using the public publishable API key without authentication.

A practical detection method is to send a POST request to the endpoint /rest/v1/rpc/get_orgs_v6 with an arbitrary user UUID in the request body and observe if sensitive organization data is returned.

For example, you can use the following curl command to test for the vulnerability:

  • curl -X POST https://<your-capgo-instance>/rest/v1/rpc/get_orgs_v6 -H "apikey: <public-publishable-api-key>" -H "Content-Type: application/json" -d '{"userid":"<arbitrary-uuid>"}'

If the response contains organization membership, roles, subscription/trial metadata, or management email information for the supplied UUID, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include revoking the anon role's access to the get_orgs_v6 function to prevent unauthenticated queries.

Another effective measure is to modify the function to enforce that the userid parameter matches the authenticated user's ID by adding a check such as userid = auth.uid().

Alternatively, require a valid JWT token for accessing the function to ensure proper authentication and authorization.

These steps will prevent unauthorized users from querying sensitive organization data using only the public API key.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56226. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart