CVE-2026-56235: Exposure of Sensitive Information to an Unauthorized Actor in Cap-go capgo
Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public Supabase API key (sb_publishable_*) can query arbitrary org_id values to disclose cross-tenant usage telemetry (MAU, bandwidth, installs, gets), enumerate app IDs for a target org, and determine org existence via an oracle (valid org returns metrics, invalid returns []).
AI Analysis
Technical Summary
CVE-2026-56235 describes an authorization bypass in Cap-go capgo prior to version 12.128.2 affecting Supabase PostgREST RPC functions get_app_metrics, get_global_metrics, and get_total_metrics. These functions are granted to the anon role and do not enforce org membership or permission checks, allowing unauthenticated attackers using the public Supabase API key (sb_publishable_*) to query arbitrary org_id values. This leads to unauthorized disclosure of cross-tenant usage telemetry data such as monthly active users, bandwidth, installs, and gets. Attackers can also enumerate app IDs for target organizations and determine organization existence based on response differences.
Potential Impact
The vulnerability allows unauthenticated attackers to bypass authorization controls and access sensitive usage telemetry data across different tenants. This includes metrics like monthly active users, bandwidth consumption, installs, and API gets. Additionally, attackers can enumerate application IDs and confirm the existence of organizations, potentially aiding further targeted attacks or information gathering. There is no indication of data modification or service disruption from this vulnerability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected RPC functions or enforce org membership and permission checks on these endpoints. Monitor for updates from the vendor regarding patches or official mitigations.
CVE-2026-56235: Exposure of Sensitive Information to an Unauthorized Actor in Cap-go capgo
Description
Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public Supabase API key (sb_publishable_*) can query arbitrary org_id values to disclose cross-tenant usage telemetry (MAU, bandwidth, installs, gets), enumerate app IDs for a target org, and determine org existence via an oracle (valid org returns metrics, invalid returns []).
CVSS v4.0
Score 6.9medium
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-56235 describes an authorization bypass in Cap-go capgo prior to version 12.128.2 affecting Supabase PostgREST RPC functions get_app_metrics, get_global_metrics, and get_total_metrics. These functions are granted to the anon role and do not enforce org membership or permission checks, allowing unauthenticated attackers using the public Supabase API key (sb_publishable_*) to query arbitrary org_id values. This leads to unauthorized disclosure of cross-tenant usage telemetry data such as monthly active users, bandwidth, installs, and gets. Attackers can also enumerate app IDs for target organizations and determine organization existence based on response differences.
Potential Impact
The vulnerability allows unauthenticated attackers to bypass authorization controls and access sensitive usage telemetry data across different tenants. This includes metrics like monthly active users, bandwidth consumption, installs, and API gets. Additionally, attackers can enumerate application IDs and confirm the existence of organizations, potentially aiding further targeted attacks or information gathering. There is no indication of data modification or service disruption from this vulnerability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected RPC functions or enforce org membership and permission checks on these endpoints. Monitor for updates from the vendor regarding patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-06-19T21:50:06.625Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a36bb2a49568db4e2fc696c
Added to database: 6/20/2026, 4:09:14 PM
Last enriched: 6/20/2026, 4:24:12 PM
Last updated: 6/20/2026, 6:32:47 PM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.