Authorization Bypass Vulnerability in Capgo by Capgo
CVE-2026-56311

6.9MEDIUM

Key Information:

Vendor: Capgo
Status: Capgo
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-56311?

Capgo versions before 12.128.2 possess an authorization bypass vulnerability in the public.get_current_plan_max_org RPC function. This flaw enables unauthenticated attackers to query arbitrary organization UUIDs using the public Supabase key, thus allowing them to access sensitive billing information. Disclosed data include monthly active users (MAU), bandwidth, storage, and build time limits, potentially posing significant risks to organizations reliant on this platform.

Affected Version(s)

Capgo 0 < 12.128.2

Capgo 12.128.2

References

https://github.com/Cap-go/capgo/security/advisories/GHSA-...

vendor-advisory

https://www.vulncheck.com/advisories/capgo-unauthenticate...

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 20, 2026

Credit

Judel777

CVE-2026-56311 Data

JSON