Information Disclosure in Capgo Product by Leading Vendor
CVE-2026-56238

8.7HIGH

Key Information:

Vendor

Capgo

Status
Vendor
CVE Published:
12 July 2026

What is CVE-2026-56238?

Capgo versions prior to 12.128.2 are susceptible to an information disclosure vulnerability affecting the Supabase PostgREST global_stats endpoint. This vulnerability enables unauthenticated attackers to exploit the endpoint using only a public API key, allowing them to access sensitive data such as monthly recurring revenue (MRR), total revenue figures, revenue breakdown by plan tier, customer counts, and operational telemetry metrics. The exposure of such sensitive financial and operational information can significantly impact the security posture of organizations utilizing this software.

Affected Version(s)

Capgo 0 < 12.128.2

Capgo 12.128.2

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Judel777
.