{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/capgo-before-12.128.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-56226"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Capgo (before 12.128.2)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","api-exploitation","data-exfiltration","webserver","supabase"],"_cs_type":"advisory","_cs_vendors":["Cap-go"],"content_html":"\u003cp\u003eCVE-2026-56226 outlines a significant data exposure vulnerability in Capgo (Cap-go/capgo) versions preceding 12.128.2. This vulnerability stems from the application's exposure of the Supabase PostgREST RPC function \u003ccode\u003epublic.get_orgs_v6(userid uuid)\u003c/code\u003e, which is configured as \u003ccode\u003eSECURITY DEFINER\u003c/code\u003e and granted to the \u003ccode\u003eanon\u003c/code\u003e role. This misconfiguration permits unauthenticated access to the function. An attacker, leveraging a public publishable API key, can send a POST request to \u003ccode\u003e/rest/v1/rpc/get_orgs_v6\u003c/code\u003e with any user's UUID. The function then returns sensitive information associated with that user, including organization membership, roles, subscription/trial metadata, and \u003ccode\u003emanagement_email\u003c/code\u003e, which constitutes personally identifiable information (PII). This flaw allows for widespread unauthorized data retrieval without requiring prior authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Capgo instance running a vulnerable version (prior to 12.128.2).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains the Capgo application's publicly available API key, typically found in client-side code or network traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the exposed Supabase PostgREST RPC endpoint: \u003ccode\u003e/rest/v1/rpc/get_orgs_v6\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWithin the request body, the attacker includes a JSON payload containing an arbitrary \u003ccode\u003euserid\u003c/code\u003e UUID belonging to a user within the Capgo system.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Capgo application, due to the \u003ccode\u003eanon\u003c/code\u003e role grant and \u003ccode\u003eSECURITY DEFINER\u003c/code\u003e setting for \u003ccode\u003epublic.get_orgs_v6\u003c/code\u003e, processes the unauthenticated request.\u003c/li\u003e\n\u003cli\u003eThe RPC function executes, querying the backend Supabase database using the attacker-supplied \u003ccode\u003euserid\u003c/code\u003e UUID.\u003c/li\u003e\n\u003cli\u003eThe database returns all associated user details to the Capgo application.\u003c/li\u003e\n\u003cli\u003eThe Capgo application then sends the sensitive data, including organization membership, roles, subscription/trial metadata, and \u003ccode\u003emanagement_email\u003c/code\u003e, back to the attacker in the API response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-56226 leads to unauthorized retrieval of sensitive user data. Attackers can obtain organization membership details, assigned roles, subscription and trial status, and critical Personally Identifiable Information (PII) such as the \u003ccode\u003emanagement_email\u003c/code\u003e for any user whose UUID they can guess or enumerate. This direct access to user data without authentication poses a severe privacy risk and can be leveraged for further social engineering, targeted phishing, or identity theft. The scope of impact is potentially all users registered on a vulnerable Capgo instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-56226 immediately by updating Capgo to version 12.128.2 or later.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-56226 Exploitation - Unauthenticated Capgo Data Retrieval\u0026quot; to your SIEM to identify attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eReview webserver access logs for the specific \u003ccode\u003ecs-uri-stem\u003c/code\u003e \u003ccode\u003e/rest/v1/rpc/get_orgs_v6\u003c/code\u003e for successful POST requests (\u003ccode\u003esc-status: 200\u003c/code\u003e) from untrusted IP addresses or sources indicating potential exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T14:20:36Z","date_published":"2026-07-08T14:20:36Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-56226-capgo-data-exposure/","summary":"CVE-2026-56226 details a high-severity vulnerability in Capgo versions prior to 12.128.2 that exposes a Supabase PostgREST RPC function, `public.get_orgs_v6`, to unauthenticated attackers, allowing them to retrieve sensitive user organization membership and PII by supplying an arbitrary user UUID.","title":"CVE-2026-56226 - Capgo Unauthenticated Data Exposure via Supabase PostgREST RPC","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-56226-capgo-data-exposure/"}],"language":"en","title":"CraftedSignal Threat Feed - Capgo (Before 12.128.2)","version":"https://jsonfeed.org/version/1.1"}