Skip to content
Threat Feed
high advisory

CVE-2026-56226 - Capgo Unauthenticated Data Exposure via Supabase PostgREST RPC

CVE-2026-56226 details a high-severity vulnerability in Capgo versions prior to 12.128.2 that exposes a Supabase PostgREST RPC function, `public.get_orgs_v6`, to unauthenticated attackers, allowing them to retrieve sensitive user organization membership and PII by supplying an arbitrary user UUID.

CVE-2026-56226 outlines a significant data exposure vulnerability in Capgo (Cap-go/capgo) versions preceding 12.128.2. This vulnerability stems from the application's exposure of the Supabase PostgREST RPC function public.get_orgs_v6(userid uuid), which is configured as SECURITY DEFINER and granted to the anon role. This misconfiguration permits unauthenticated access to the function. An attacker, leveraging a public publishable API key, can send a POST request to /rest/v1/rpc/get_orgs_v6 with any user's UUID. The function then returns sensitive information associated with that user, including organization membership, roles, subscription/trial metadata, and management_email, which constitutes personally identifiable information (PII). This flaw allows for widespread unauthorized data retrieval without requiring prior authentication.

Attack Chain

  1. An attacker identifies a Capgo instance running a vulnerable version (prior to 12.128.2).
  2. The attacker obtains the Capgo application's publicly available API key, typically found in client-side code or network traffic.
  3. The attacker crafts a malicious HTTP POST request targeting the exposed Supabase PostgREST RPC endpoint: /rest/v1/rpc/get_orgs_v6.
  4. Within the request body, the attacker includes a JSON payload containing an arbitrary userid UUID belonging to a user within the Capgo system.
  5. The vulnerable Capgo application, due to the anon role grant and SECURITY DEFINER setting for public.get_orgs_v6, processes the unauthenticated request.
  6. The RPC function executes, querying the backend Supabase database using the attacker-supplied userid UUID.
  7. The database returns all associated user details to the Capgo application.
  8. The Capgo application then sends the sensitive data, including organization membership, roles, subscription/trial metadata, and management_email, back to the attacker in the API response.

Impact

The successful exploitation of CVE-2026-56226 leads to unauthorized retrieval of sensitive user data. Attackers can obtain organization membership details, assigned roles, subscription and trial status, and critical Personally Identifiable Information (PII) such as the management_email for any user whose UUID they can guess or enumerate. This direct access to user data without authentication poses a severe privacy risk and can be leveraged for further social engineering, targeted phishing, or identity theft. The scope of impact is potentially all users registered on a vulnerable Capgo instance.

Recommendation

  • Patch CVE-2026-56226 immediately by updating Capgo to version 12.128.2 or later.
  • Deploy the Sigma rule "Detects CVE-2026-56226 Exploitation - Unauthenticated Capgo Data Retrieval" to your SIEM to identify attempts to exploit this vulnerability.
  • Review webserver access logs for the specific cs-uri-stem /rest/v1/rpc/get_orgs_v6 for successful POST requests (sc-status: 200) from untrusted IP addresses or sources indicating potential exploitation.

Detection coverage 1

Detects CVE-2026-56226 Exploitation - Unauthenticated Capgo Data Retrieval

high

Detects attempts to exploit CVE-2026-56226 by making unauthenticated POST requests to the Capgo Supabase PostgREST RPC endpoint public.get_orgs_v6 to retrieve user organization data.

sigma tactics: collection, initial_access techniques: T1190, T1530 sources: webserver

Detection queries are available on the platform. Get full rules →