CVE-2026-56284
Deferred Deferred - Pending Action

Information Disclosure in Capgo via Supabase PostgREST RPC

Vulnerability report for CVE-2026-56284, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

Capgo (Cap-go/capgo) before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST RPC function public.get_total_metrics(org_id), which is callable by the anon role using only the public sb_publishable_* key. An unauthenticated attacker can probe organization existence and leak sensitive usage metrics including MAU, bandwidth, and install counts by sending POST requests to /rest/v1/rpc/get_total_metrics with valid organization UUIDs.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)
cap-go capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56284 is an information disclosure vulnerability in Capgo versions before 12.128.2. It exists in the Supabase PostgREST RPC function public.get_total_metrics(org_id), which can be called by the anon role using only the public sb_publishable_* key without authentication.

An unauthenticated attacker can send POST requests to /rest/v1/rpc/get_total_metrics with valid organization UUIDs to probe whether organizations exist and to leak sensitive usage metrics such as monthly active users (MAU), bandwidth consumption, and install counts.

This vulnerability allows attackers to gather sensitive operational data and confirm organization existence without any authentication.

Impact Analysis

This vulnerability can impact you by allowing unauthenticated attackers to discover whether your organization exists in the system and to access sensitive usage metrics such as monthly active users, bandwidth usage, and install counts.

Such information disclosure can lead to privacy concerns, competitive intelligence gathering by malicious actors, and potential exploitation based on the leaked operational data.

Detection Guidance

This vulnerability can be detected by sending POST requests to the endpoint /rest/v1/rpc/get_total_metrics with valid or random organization UUIDs and observing the responses.

If the response returns sensitive usage metrics such as monthly active users (MAU), bandwidth, and install counts, it indicates the vulnerability is present. If the response is an empty array for invalid UUIDs, it confirms the endpoint is leaking information about organization existence.

A sample command to test this using curl would be:

  • curl -X POST https://<your-capgo-instance>/rest/v1/rpc/get_total_metrics -H "apikey: public_sb_publishable_key" -H "Content-Type: application/json" -d '{"org_id":"<organization-uuid>"}'

Replace <your-capgo-instance> with your server address, <organization-uuid> with a valid or random UUID, and use the public sb_publishable_* key as the apikey header.

Mitigation Strategies

Immediate mitigation steps include revoking anonymous (unauthenticated) access to the public.get_total_metrics RPC function.

Implement authenticated membership checks to ensure only authorized users can call this function.

Alternatively, modify the function to return a constant response shape regardless of the org_id input to prevent leaking information about organization existence or usage metrics.

Upgrading to Capgo version 12.128.2 or later, where this vulnerability is fixed, is also recommended.

Compliance Impact

This vulnerability allows unauthenticated attackers to access sensitive usage metrics and probe for the existence of organizations, which constitutes an information disclosure issue.

Such unauthorized exposure of sensitive organizational data could potentially lead to non-compliance with data protection regulations like GDPR or HIPAA, which require safeguarding sensitive information and preventing unauthorized access.

Specifically, leaking metrics such as monthly active users, bandwidth, and install counts without proper authentication may violate principles of data minimization and confidentiality mandated by these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56284. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart