CVE Catalog

CVE-2026-56244

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile — higher than 9% of all known CVEs

Summary

Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets due to insufficient row-level security policies on the webhooks table. Attackers can retrieve the webhook secret and forge valid X-Capgo-Signature headers to send authenticated webhook events to configured receivers.

Risk Assessment

Compromising the authenticity and integrity of webhooks may lead to unauthorized access to data and potential attacks on systems utilizing these webhooks.

Recommendation

It is recommended to update Capgo to version 12.128.2 or later and implement appropriate row-level security policies on the webhooks table.

Original NVD description (English source)

Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets via Supabase REST due to insufficient row-level security policies on the webhooks table. Attackers can retrieve the webhook secret and forge valid X-Capgo-Signature headers to send authenticated webhook events to configured receivers, breaking webhook authenticity and integrity.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS