CVE-2026-56235
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
Cap-go before version 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions that are granted to the anon role without enforcing org membership or permission checks. An attacker can use the public Supabase API key to query org_id values, disclosing cross-tenant usage telemetry.
Risk Assessment
The organization is at risk of exposing sensitive telemetry data and the ability to enumerate app IDs, which could lead to further attacks on the infrastructure.
Recommendation
It is recommended to upgrade to version 12.128.2 or later and implement appropriate access controls to prevent unauthorized access to RPC functions.
Original NVD description (English source)
Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public Supabase API key (sb_publishable_*) can query arbitrary org_id values to disclose cross-tenant usage telemetry (MAU, bandwidth, installs, gets), enumerate app IDs for a target org, and determine org existence via an oracle (valid org returns metrics, invalid returns []).

