{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/supabase-postgrest/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-56238"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Capgo \u003c 12.128.2","Supabase PostgREST"],"_cs_severities":["high"],"_cs_tags":["information-disclosure","web-application","vulnerability","supabase"],"_cs_type":"advisory","_cs_vendors":["Capgo","Supabase"],"content_html":"\u003cp\u003eCVE-2026-56238 describes an information disclosure vulnerability affecting Capgo software versions prior to 12.128.2. This flaw resides within the Supabase PostgREST \u003ccode\u003eglobal_stats\u003c/code\u003e endpoint, which is integral to Capgo's backend operations. The vulnerability enables unauthenticated attackers to query the \u003ccode\u003e/rest/v1/global_stats\u003c/code\u003e endpoint. By simply utilizing a publicly available API key, an attacker can gain unauthorized access to highly sensitive financial and operational metrics. This includes data such as Monthly Recurring Revenue (MRR), total revenue figures, a detailed breakdown of revenue by plan tier, customer counts, and various operational telemetry data. The exposure of such data poses a significant risk for organizations using affected Capgo installations, potentially leading to competitive disadvantages, financial fraud, and strategic exploitation due to the revelation of internal business performance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Capgo instance running a vulnerable version (prior to 12.128.2) of its Supabase PostgREST backend.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request targeting the \u003ccode\u003e/rest/v1/global_stats\u003c/code\u003e endpoint on the vulnerable Capgo instance. This request includes a public API key, which is sufficient for triggering the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Supabase PostgREST endpoint processes the request without proper authentication checks for sensitive data.\u003c/li\u003e\n\u003cli\u003eThe endpoint responds by disclosing internal financial and operational metrics, including MRR, total revenue, plan-tier revenue breakdown, customer counts, and operational telemetry to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully collects and exfiltrates the sensitive organizational data, achieving their objective of information disclosure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-56238 results in the unauthorized disclosure of critical business intelligence. Attackers can obtain sensitive financial data, such as Monthly Recurring Revenue (MRR), total revenue, and detailed revenue breakdowns by plan tier. Operational metrics, including customer counts and various telemetry data, are also exposed. This information can be leveraged for competitive intelligence, targeted phishing campaigns, financial fraud, or to undermine the victim organization's market position. While the NVD entry does not specify a number of victims or specific sectors, any organization utilizing vulnerable Capgo instances is at risk of significant reputational and financial damage should their proprietary data be exfiltrated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-56238 by updating Capgo to version 12.128.2 or later immediately to remediate the vulnerability in Supabase PostgREST.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetect CVE-2026-56238 Exploitation - Supabase PostgREST Global Stats Endpoint Access\u003c/code\u003e Sigma rule to your SIEM to detect attempts to access the vulnerable \u003ccode\u003e/rest/v1/global_stats\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eBlock the access to the \u003ccode\u003e/rest/v1/global_stats\u003c/code\u003e URL provided in the IOC section at the perimeter firewall or API gateway if immediate patching is not possible.\u003c/li\u003e\n\u003cli\u003eEnsure web server access logs are enabled and retained to provide telemetry for the Sigma rule provided in this brief.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-12T12:21:10Z","date_published":"2026-07-12T12:21:10Z","id":"https://feed.craftedsignal.io/briefs/2026-07-capgo-supabase-info-disclosure/","summary":"An information disclosure vulnerability (CVE-2026-56238) in Capgo before 12.128.2's Supabase PostgREST global_stats endpoint allows unauthenticated attackers to retrieve sensitive financial and operational metrics using a public API key.","title":"CVE-2026-56238 - Capgo Supabase PostgREST Information Disclosure","url":"https://feed.craftedsignal.io/briefs/2026-07-capgo-supabase-info-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed - Supabase PostgREST","version":"https://jsonfeed.org/version/1.1"}