Information Disclosure in Capgo Product by Capgo
CVE-2026-56284

6.9MEDIUM

Key Information:

Vendor

Cap-go

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-56284?

The Capgo product prior to version 12.128.2 exhibits an information disclosure vulnerability. This flaw resides in the Supabase PostgREST RPC function public.get_total_metrics(org_id), enabling unauthenticated users to access sensitive organization metrics. By exploiting this vulnerability, attackers can send POST requests with valid organization UUIDs to /rest/v1/rpc/get_total_metrics, thereby obtaining crucial information such as Monthly Active Users (MAU), bandwidth consumption, and installation counts without any authentication. This poses significant risks to organizations that rely on this product, as it could lead to the unwanted exposure of their operational data.

Affected Version(s)

capgo 0 < 12.128.2

capgo 12.128.2

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Judel777
.