CVE Catalog

CVE-2026-56235

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

19th percentile — higher than 19% of all known CVEs

Summary

Cap-go before version 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions that are granted to the anon role without enforcing org membership or permission checks. An attacker can use the public Supabase API key to query org_id values, disclosing cross-tenant usage telemetry.

Risk Assessment

The organization is at risk of exposing sensitive telemetry data and the ability to enumerate app IDs, which could lead to further attacks on the infrastructure.

Recommendation

It is recommended to upgrade to version 12.128.2 or later and implement appropriate access controls to prevent unauthorized access to RPC functions.

Original NVD description (English source)

Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public Supabase API key (sb_publishable_*) can query arbitrary org_id values to disclose cross-tenant usage telemetry (MAU, bandwidth, installs, gets), enumerate app IDs for a target org, and determine org existence via an oracle (valid org returns metrics, invalid returns []).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS