GHSA-4wq7-w2m9-cfmm
Capgo versions before 12.128.2 have an information disclosure vulnerability in the Supabase PostgREST global_stats endpoint. This flaw allows unauthenticated attackers to access sensitive financial and operational metrics by using only the public API key. Attackers can query the /rest/v1/global_stats endpoint to retrieve data such as monthly recurring revenue (MRR), total revenue, plan-tier revenue breakdown, customer counts, and operational telemetry.
AI Analysis
Technical Summary
An information disclosure vulnerability exists in Capgo prior to version 12.128.2 within the Supabase PostgREST global_stats endpoint. The vulnerability permits unauthenticated remote attackers to access sensitive financial and operational data by querying the /rest/v1/global_stats endpoint using only the public API key. This exposure includes metrics like MRR, total revenue, revenue by plan tier, customer counts, and operational telemetry. The vulnerability is classified under CWE-200 (Information Exposure). No patch or official remediation has been indicated in the provided data.
Potential Impact
Sensitive financial and operational metrics are exposed to unauthenticated remote attackers. This could lead to unauthorized disclosure of business-critical data such as revenue figures and customer statistics, potentially harming the affected organization's confidentiality and competitive position.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the /rest/v1/global_stats endpoint and avoid exposing the public API key in untrusted environments.
GHSA-4wq7-w2m9-cfmm
Description
Capgo versions before 12.128.2 have an information disclosure vulnerability in the Supabase PostgREST global_stats endpoint. This flaw allows unauthenticated attackers to access sensitive financial and operational metrics by using only the public API key. Attackers can query the /rest/v1/global_stats endpoint to retrieve data such as monthly recurring revenue (MRR), total revenue, plan-tier revenue breakdown, customer counts, and operational telemetry.
CVSS v4.0
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
An information disclosure vulnerability exists in Capgo prior to version 12.128.2 within the Supabase PostgREST global_stats endpoint. The vulnerability permits unauthenticated remote attackers to access sensitive financial and operational data by querying the /rest/v1/global_stats endpoint using only the public API key. This exposure includes metrics like MRR, total revenue, revenue by plan tier, customer counts, and operational telemetry. The vulnerability is classified under CWE-200 (Information Exposure). No patch or official remediation has been indicated in the provided data.
Potential Impact
Sensitive financial and operational metrics are exposed to unauthenticated remote attackers. This could lead to unauthorized disclosure of business-critical data such as revenue figures and customer statistics, potentially harming the affected organization's confidentiality and competitive position.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the /rest/v1/global_stats endpoint and avoid exposing the public API key in untrusted environments.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-4wq7-w2m9-cfmm
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-56238"]
- Ecosystems
- []
- Database Specific Severity
- HIGH
- Cvss Version
- 4.0
Threat ID: 6a54ae1868715ace438f98cd
Added to database: 07/13/2026, 09:21:28 UTC
Last enriched: 07/13/2026, 10:01:37 UTC
Last updated: 07/13/2026, 10:05:54 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.