Information Disclosure in Capgo Product by Capgo
CVE-2026-56284
6.9MEDIUM
What is CVE-2026-56284?
The Capgo product prior to version 12.128.2 exhibits an information disclosure vulnerability. This flaw resides in the Supabase PostgREST RPC function public.get_total_metrics(org_id), enabling unauthenticated users to access sensitive organization metrics. By exploiting this vulnerability, attackers can send POST requests with valid organization UUIDs to /rest/v1/rpc/get_total_metrics, thereby obtaining crucial information such as Monthly Active Users (MAU), bandwidth consumption, and installation counts without any authentication. This poses significant risks to organizations that rely on this product, as it could lead to the unwanted exposure of their operational data.
Affected Version(s)
capgo 0 < 12.128.2
capgo 12.128.2
