CVE-2026-56303
Received Received - Intake

Information Disclosure in Capgo via Unauthenticated PostgreSQL Function

Vulnerability report for CVE-2026-56303, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains an information disclosure vulnerability in the find_apikey_by_value PostgreSQL function marked SECURITY DEFINER and executable by the anon role. Unauthenticated attackers can call this function via the /rest/v1/rpc/find_apikey_by_value endpoint to retrieve sensitive API key metadata including user_id, mode, org scoping, and expiration details when supplied a valid key value.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)
cap-go capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56303 is an information disclosure vulnerability in Capgo versions before 12.128.2. It involves a PostgreSQL function named find_apikey_by_value that is marked as SECURITY DEFINER and executable by the anonymous (anon) role.

This function can be called without authentication via the /rest/v1/rpc/find_apikey_by_value endpoint. When supplied with a valid API key value, it returns sensitive API key metadata including user ID, mode, organization scoping, and expiration details.

Because the function runs with elevated privileges and is accessible to unauthenticated users, attackers can retrieve sensitive information from the apikeys table, bypassing intended authentication controls.

Impact Analysis

This vulnerability allows unauthenticated attackers to access sensitive API key metadata, which can lead to several security risks.

  • Attackers can verify the validity of API keys.
  • They can identify privileged keys and their associated permissions.
  • Attackers can map user relationships and organizational scoping.
  • The exposure of expiration details can help attackers time their attacks.

Overall, this can lead to amplification of the impact of leaked keys and unauthorized access to sensitive systems or data.

Detection Guidance

This vulnerability can be detected by attempting to call the PostgreSQL function `find_apikey_by_value` via the exposed Supabase RPC endpoint `/rest/v1/rpc/find_apikey_by_value` without authentication.

A practical detection method is to send a request to this endpoint with a valid or guessed API key value and observe if sensitive API key metadata such as user_id, mode, org scoping, and expiration details are returned.

For example, using curl to test the endpoint might look like this:

  • curl -X POST https://your-capgo-instance/rest/v1/rpc/find_apikey_by_value -H "Content-Type: application/json" -d '{"key_value":"<valid_or_test_api_key>"}'

If the response contains detailed API key metadata without requiring authentication, the vulnerability is present.

Mitigation Strategies

The immediate and recommended mitigation step is to update Capgo to version 12.128.2 or later, where this vulnerability has been patched.

Until the update can be applied, restrict access to the `/rest/v1/rpc/find_apikey_by_value` endpoint to prevent unauthenticated calls, for example by implementing network-level access controls or API gateway restrictions.

Additionally, review and adjust PostgreSQL function permissions to ensure that the `find_apikey_by_value` function is not executable by the anonymous (`anon`) role.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56303. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart