CVE-2026-56238
Received Received - Intake

Information Disclosure in Capgo via Supabase PostgREST

Vulnerability report for CVE-2026-56238, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST global_stats endpoint that allows unauthenticated attackers to read sensitive financial and operational metrics using only the public apikey. Remote attackers can query the /rest/v1/global_stats endpoint to expose MRR, total revenue, plan-tier revenue breakdown, customer counts, and operational telemetry.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56238 is an information disclosure vulnerability in Capgo versions before 12.128.2. It exists in the Supabase PostgREST global_stats endpoint, which allows unauthenticated attackers to access sensitive financial and operational data by querying the /rest/v1/global_stats endpoint using only the public API key.

  • Attackers can read Monthly Recurring Revenue (MRR), total revenue, revenue breakdown by plan tiers, customer counts, and operational telemetry.
  • The vulnerability arises due to improper access controls allowing anonymous users to access the public.global_stats table.
Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive financial and operational metrics of your platform.

  • Competitors or attackers could gather competitive intelligence such as revenue figures and customer counts.
  • Attackers could assess your platform's scale and usage patterns through exposed telemetry data.
  • Such exposure could damage business confidentiality and strategic positioning.
Detection Guidance

This vulnerability can be detected by attempting to query the vulnerable endpoint /rest/v1/global_stats using the public API key without authentication. If the query returns sensitive financial and operational metrics such as MRR, total revenue, plan-tier revenue breakdown, customer counts, or operational telemetry, the system is vulnerable.

A simple command to test this could be using curl to send a GET request to the endpoint with the public API key, for example:

  • curl -H "apikey: <public_api_key>" https://<your-capgo-instance>/rest/v1/global_stats

If the response contains sensitive data without requiring authentication, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include revoking public access to the global_stats table to prevent unauthenticated queries.

Implementing row-level security (RLS) on the global_stats table is recommended to restrict access to authorized users only.

Alternatively, serve the metrics through an authenticated or admin-only API endpoint, and redact sensitive data if necessary.

Additionally, upgrading Capgo to version 12.128.2 or later, where this vulnerability is fixed, is advised.

Compliance Impact

The vulnerability allows unauthenticated attackers to access sensitive financial and operational data without authorization, which indicates improper access control and exposure of sensitive information.

Such unauthorized disclosure of sensitive data could potentially lead to non-compliance with standards and regulations that require protection of sensitive information, such as GDPR and HIPAA, especially if the exposed data includes personal or financial information covered under these regulations.

The vulnerability arises from public access to the global_stats table without proper access controls, which is a failure to implement adequate security measures required by many compliance frameworks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56238. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart