CVE-2026-56339
Received Received - Intake

Information Disclosure in Capgo via Supabase PostgREST RPC

Vulnerability report for CVE-2026-56339, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: VulnCheck

Description

Capgo (Cap-go/capgo) before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST SECURITY DEFINER RPC function public.rescind_invitation that allows unauthenticated attackers to enumerate organization existence. The function returns distinct error messages (NO_ORG vs NO_RIGHTS) when called with only a publishable API key, enabling attackers to discover valid organization IDs and increase the attack surface for targeted phishing or social engineering campaigns.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-203 The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an information disclosure issue in Capgo versions before 12.128.2. It involves an unauthenticated organization existence oracle via a public Supabase RPC function called public.rescind_invitation. The function returns distinct error messages (NO_ORG vs NO_RIGHTS) when called with only a publishable API key, allowing attackers to enumerate valid organization IDs without authentication.

Impact Analysis

Attackers can use this vulnerability to discover valid organization IDs, increasing the risk of targeted phishing or social engineering campaigns. The flaw enables enumeration of organizations without needing a valid session or JWT, expanding the attack surface for malicious activities.

Compliance Impact

This vulnerability may violate data protection regulations like GDPR and HIPAA by exposing sensitive organization information through information disclosure. It undermines security controls designed to protect personal and organizational data from unauthorized access.

Detection Guidance

To detect this vulnerability, you can test the Supabase PostgREST RPC function public.rescind_invitation by sending requests with a publishable API key and observing the error responses. If the system returns distinct errors like NO_ORG for non-existent organizations and NO_RIGHTS for existing ones, the vulnerability is likely present.

Mitigation Strategies

Immediately remove public execution grants for the public.rescind_invitation function in Supabase PostgREST. Require authenticated sessions for all RPC calls and ensure the function returns a single generic error message for unauthorized or unknown targets to prevent organization ID enumeration.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56339. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart