Product
An information disclosure vulnerability in Capgo (Cap-go/capgo) before version 12.128.2 allows unauthenticated attackers to enumerate organization existence. This flaw resides within the Supabase PostgREST SECURITY DEFINER RPC function 'public.rescind_invitation', which returns distinct error messages (NO_ORG vs. NO_RIGHTS) when called with only a publishable API key. This enables attackers to discover valid organization IDs, increasing the attack surface for targeted phishing or social engineering campaigns.