CVE-2026-56244
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets due to insufficient row-level security policies on the webhooks table. Attackers can retrieve the webhook secret and forge valid X-Capgo-Signature headers to send authenticated webhook events to configured receivers.
Risk Assessment
Compromising the authenticity and integrity of webhooks may lead to unauthorized access to data and potential attacks on systems utilizing these webhooks.
Recommendation
It is recommended to update Capgo to version 12.128.2 or later and implement appropriate row-level security policies on the webhooks table.
Original NVD description (English source)
Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets via Supabase REST due to insufficient row-level security policies on the webhooks table. Attackers can retrieve the webhook secret and forge valid X-Capgo-Signature headers to send authenticated webhook events to configured receivers, breaking webhook authenticity and integrity.

