Unauthenticated Denial-of-Service Vulnerability in Capgo Backend by Cap-go
CVE-2026-56248

8.7HIGH

Key Information:

Vendor: Cap-go
Status: Capgo
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-56248?

A significant vulnerability in the capgo backend allows for unauthenticated denial-of-service attacks due to a flaw in the Row-Level Security (RLS) policy of the audit_logs table. When accessed via the Supabase PostgREST API, unfiltered queries can lead to excessive resource consumption as the PostgreSQL query planner executes expensive logic before triggering RLS rejections. This results in statement timeouts and, under concurrent usage, can deplete database resources, causing cascading failures across unrelated application endpoints and impairing overall service availability.

Affected Version(s)

capgo 0 < 12.128.12

capgo 12.128.12

References

https://github.com/Cap-go/capgo/security/advisories/GHSA-...

vendor-advisory

https://www.vulncheck.com/advisories/capgo-unauthenticate...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 19, 2026

Credit

Judel777

CVE-2026-56248 Data

JSON