CVE-2026-56226 - Capgo Unauthenticated Data Exposure via Supabase PostgREST RPC
CVE-2026-56226 details a high-severity vulnerability in Capgo versions prior to 12.128.2 that exposes a Supabase PostgREST RPC function, `public.get_orgs_v6`, to unauthenticated attackers, allowing them to retrieve sensitive user organization membership and PII by supplying an arbitrary user UUID.
CVE-2026-56226 outlines a significant data exposure vulnerability in Capgo (Cap-go/capgo) versions preceding 12.128.2. This vulnerability stems from the application's exposure of the Supabase PostgREST RPC function public.get_orgs_v6(userid uuid), which is configured as SECURITY DEFINER and granted to the anon role. This misconfiguration permits unauthenticated access to the function. An attacker, leveraging a public publishable API key, can send a POST request to /rest/v1/rpc/get_orgs_v6 with any user's UUID. The function then returns sensitive information associated with that user, including organization membership, roles, subscription/trial metadata, and management_email, which constitutes personally identifiable information (PII). This flaw allows for widespread unauthorized data retrieval without requiring prior authentication.
Attack Chain
- An attacker identifies a Capgo instance running a vulnerable version (prior to 12.128.2).
- The attacker obtains the Capgo application's publicly available API key, typically found in client-side code or network traffic.
- The attacker crafts a malicious HTTP POST request targeting the exposed Supabase PostgREST RPC endpoint:
/rest/v1/rpc/get_orgs_v6. - Within the request body, the attacker includes a JSON payload containing an arbitrary
useridUUID belonging to a user within the Capgo system. - The vulnerable Capgo application, due to the
anonrole grant andSECURITY DEFINERsetting forpublic.get_orgs_v6, processes the unauthenticated request. - The RPC function executes, querying the backend Supabase database using the attacker-supplied
useridUUID. - The database returns all associated user details to the Capgo application.
- The Capgo application then sends the sensitive data, including organization membership, roles, subscription/trial metadata, and
management_email, back to the attacker in the API response.
Impact
The successful exploitation of CVE-2026-56226 leads to unauthorized retrieval of sensitive user data. Attackers can obtain organization membership details, assigned roles, subscription and trial status, and critical Personally Identifiable Information (PII) such as the management_email for any user whose UUID they can guess or enumerate. This direct access to user data without authentication poses a severe privacy risk and can be leveraged for further social engineering, targeted phishing, or identity theft. The scope of impact is potentially all users registered on a vulnerable Capgo instance.
Recommendation
- Patch CVE-2026-56226 immediately by updating Capgo to version 12.128.2 or later.
- Deploy the Sigma rule "Detects CVE-2026-56226 Exploitation - Unauthenticated Capgo Data Retrieval" to your SIEM to identify attempts to exploit this vulnerability.
- Review webserver access logs for the specific
cs-uri-stem/rest/v1/rpc/get_orgs_v6for successful POST requests (sc-status: 200) from untrusted IP addresses or sources indicating potential exploitation.
Detection coverage 1
Detects CVE-2026-56226 Exploitation - Unauthenticated Capgo Data Retrieval
highDetects attempts to exploit CVE-2026-56226 by making unauthenticated POST requests to the Capgo Supabase PostgREST RPC endpoint public.get_orgs_v6 to retrieve user organization data.
Detection queries are available on the platform. Get full rules →