CVE-2026-56248
HighCVSS 7.5Summary
Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST API.
Risk Assessment
Unauthenticated queries can lead to database resource exhaustion, resulting in cascading HTTP 500 errors on unrelated endpoints, jeopardizing application availability.
Recommendation
It is recommended to upgrade to version 12.128.12 or later to mitigate this vulnerability and to monitor queries to the public audit_logs endpoint.
Original NVD description (English source)
Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST API. Because the PostgreSQL query planner executes costly logic before RLS rejection, unfiltered queries to the public.audit_logs endpoint using the public anon key consistently trigger statement timeouts (PostgREST error 57014). Under concurrency, this exhausts database resources and causes cascading HTTP 500 failures on unrelated endpoints (e.g. /orgs), resulting in an application-layer denial of service.

