Unauthenticated Data Exposure in Capgo's Supabase PostgREST Function
CVE-2026-56226
8.7HIGH
What is CVE-2026-56226?
The Capgo platform's Supabase PostgREST RPC function, public.get_orgs_v6, prior to version 12.128.2, permits unauthenticated access to sensitive user organization data. By exploiting this security flaw, an attacker can invoke the public API to retrieve detailed information about any user by supplying a UUID. This includes sensitive data such as organization membership, roles, subscription details, and personal management email addresses, leading to a significant risk of privacy violations and data breaches.
Affected Version(s)
capgo 0 < 12.128.2
capgo 12.128.2
