Inconsistent Authentication Enforcement in Capgo Backend Supabase Edge Functions
CVE-2026-56321

6.9MEDIUM

Key Information:

Vendor: Capgo
Status: Capgo
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-56321?

An inconsistency in the authentication enforcement on the GET /private/role_bindings/:org_id endpoint in Capgo's Supabase edge functions, prior to version 12.128.2, allows unauthenticated requests to reach the handler directly. Unlike the POST and DELETE methods which enforce global authentication middleware, the GET request circumvents this security layer. Although the handler itself checks for authorization and can return an Unauthorized response, the potential for authorization bypass exists if changes are made to the handler logic. This vulnerability highlights the importance of consistent authentication across all HTTP methods to prevent unauthorized access.

Affected Version(s)

Capgo 0 < 12.128.2

Capgo 12.128.2

References

https://github.com/Cap-go/capgo/security/advisories/GHSA-...

vendor-advisory

https://www.vulncheck.com/advisories/capgo-missing-authen...

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 20, 2026

Credit

Judel777

CVE-2026-56321 Data

JSON