Unauthenticated Data Exposure in Capgo's Supabase PostgREST Function
CVE-2026-56226

8.7HIGH

Key Information:

Vendor

Cap-go

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-56226?

The Capgo platform's Supabase PostgREST RPC function, public.get_orgs_v6, prior to version 12.128.2, permits unauthenticated access to sensitive user organization data. By exploiting this security flaw, an attacker can invoke the public API to retrieve detailed information about any user by supplying a UUID. This includes sensitive data such as organization membership, roles, subscription details, and personal management email addresses, leading to a significant risk of privacy violations and data breaches.

Affected Version(s)

capgo 0 < 12.128.2

capgo 12.128.2

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Judel777
.