{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cap-go/capgo--12.128.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-56339"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cap-go/capgo (\u003c 12.128.2)"],"_cs_severities":["high"],"_cs_tags":["information-disclosure","vulnerability","supabase"],"_cs_type":"advisory","_cs_vendors":["Capgo","Supabase"],"content_html":"\u003cp\u003eA critical information disclosure vulnerability, tracked as CVE-2026-56339, affects Capgo (Cap-go/capgo) versions prior to 12.128.2. This flaw is located within the \u003ccode\u003epublic.rescind_invitation\u003c/code\u003e RPC function of the integrated Supabase PostgREST instance, specifically when configured as a SECURITY DEFINER. Unauthenticated attackers can exploit this vulnerability by observing distinct error messages returned by the function when attempting to rescind an invitation using only a publishable API key. A \u0026quot;NO_ORG\u0026quot; error indicates an invalid organization ID, while a \u0026quot;NO_RIGHTS\u0026quot; error signifies a valid organization ID for which the provided API key lacks sufficient permissions. This distinction allows attackers to enumerate valid organization IDs, thereby expanding the attack surface for subsequent targeted phishing or social engineering campaigns. The vulnerability poses a significant risk by enabling sophisticated reconnaissance against Capgo users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Capgo instance that utilizes the vulnerable Supabase PostgREST RPC function.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a valid, publishable API key for the Capgo instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an RPC request targeting the \u003ccode\u003epublic.rescind_invitation\u003c/code\u003e function, supplying the publishable API key and a guessed organization ID.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a series of these crafted requests, systematically varying the guessed organization ID.\u003c/li\u003e\n\u003cli\u003eUpon receiving an API response containing a \u0026quot;NO_ORG\u0026quot; error message, the attacker identifies that the submitted organization ID is invalid or does not exist.\u003c/li\u003e\n\u003cli\u003eUpon receiving an API response containing a \u0026quot;NO_RIGHTS\u0026quot; error message, the attacker identifies that the submitted organization ID is valid, despite the API key lacking specific rights for that organization.\u003c/li\u003e\n\u003cli\u003eBy analyzing the distinct error messages, the attacker effectively enumerates all valid organization IDs within the Capgo instance.\u003c/li\u003e\n\u003cli\u003eThe attacker then leverages these confirmed valid organization IDs to conduct highly targeted phishing, social engineering, or other reconnaissance activities against the identified organizations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-56339 leads to the unauthorized enumeration of valid organization IDs within affected Capgo instances. This information disclosure provides attackers with critical data for reconnaissance, significantly increasing the success rate of subsequent targeted phishing, social engineering, or other attack vectors. While the vulnerability itself does not grant direct access to sensitive data or systems, it dramatically lowers the barrier for attackers to launch more sophisticated and personalized attacks against specific organizations. The scope of targeting is limited only by the attacker's ability to guess or systematically iterate through potential organization IDs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-56339 by upgrading Capgo (Cap-go/capgo) to version 12.128.2 or later immediately.\u003c/li\u003e\n\u003cli\u003eReview access logging for the Supabase PostgREST RPC endpoint for \u003ccode\u003epublic.rescind_invitation\u003c/code\u003e for unusual patterns or high volumes of requests indicating reconnaissance activity.\u003c/li\u003e\n\u003cli\u003eImplement API gateway rate limiting or Web Application Firewall (WAF) rules to restrict the frequency of requests to the \u003ccode\u003epublic.rescind_invitation\u003c/code\u003e function if logs are not available for real-time monitoring.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T12:21:23Z","date_published":"2026-07-15T12:21:23Z","id":"https://feed.craftedsignal.io/briefs/2026-07-information-disclosure-capgo/","summary":"An information disclosure vulnerability in Capgo (Cap-go/capgo) before version 12.128.2 allows unauthenticated attackers to enumerate organization existence. This flaw resides within the Supabase PostgREST SECURITY DEFINER RPC function 'public.rescind_invitation', which returns distinct error messages (NO_ORG vs. NO_RIGHTS) when called with only a publishable API key. This enables attackers to discover valid organization IDs, increasing the attack surface for targeted phishing or social engineering campaigns.","title":"Information Disclosure in Capgo Supabase Integration via RPC Function","url":"https://feed.craftedsignal.io/briefs/2026-07-information-disclosure-capgo/"}],"language":"en","title":"CraftedSignal Threat Feed - Cap-Go/Capgo (\u003c 12.128.2)","version":"https://jsonfeed.org/version/1.1"}