<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Supabase - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/supabase/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 14:20:36 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/supabase/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-56226 - Capgo Unauthenticated Data Exposure via Supabase PostgREST RPC</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-56226-capgo-data-exposure/</link><pubDate>Wed, 08 Jul 2026 14:20:36 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-56226-capgo-data-exposure/</guid><description>CVE-2026-56226 details a high-severity vulnerability in Capgo versions prior to 12.128.2 that exposes a Supabase PostgREST RPC function, `public.get_orgs_v6`, to unauthenticated attackers, allowing them to retrieve sensitive user organization membership and PII by supplying an arbitrary user UUID.</description><content:encoded><![CDATA[<p>CVE-2026-56226 outlines a significant data exposure vulnerability in Capgo (Cap-go/capgo) versions preceding 12.128.2. This vulnerability stems from the application's exposure of the Supabase PostgREST RPC function <code>public.get_orgs_v6(userid uuid)</code>, which is configured as <code>SECURITY DEFINER</code> and granted to the <code>anon</code> role. This misconfiguration permits unauthenticated access to the function. An attacker, leveraging a public publishable API key, can send a POST request to <code>/rest/v1/rpc/get_orgs_v6</code> with any user's UUID. The function then returns sensitive information associated with that user, including organization membership, roles, subscription/trial metadata, and <code>management_email</code>, which constitutes personally identifiable information (PII). This flaw allows for widespread unauthorized data retrieval without requiring prior authentication.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a Capgo instance running a vulnerable version (prior to 12.128.2).</li>
<li>The attacker obtains the Capgo application's publicly available API key, typically found in client-side code or network traffic.</li>
<li>The attacker crafts a malicious HTTP POST request targeting the exposed Supabase PostgREST RPC endpoint: <code>/rest/v1/rpc/get_orgs_v6</code>.</li>
<li>Within the request body, the attacker includes a JSON payload containing an arbitrary <code>userid</code> UUID belonging to a user within the Capgo system.</li>
<li>The vulnerable Capgo application, due to the <code>anon</code> role grant and <code>SECURITY DEFINER</code> setting for <code>public.get_orgs_v6</code>, processes the unauthenticated request.</li>
<li>The RPC function executes, querying the backend Supabase database using the attacker-supplied <code>userid</code> UUID.</li>
<li>The database returns all associated user details to the Capgo application.</li>
<li>The Capgo application then sends the sensitive data, including organization membership, roles, subscription/trial metadata, and <code>management_email</code>, back to the attacker in the API response.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-56226 leads to unauthorized retrieval of sensitive user data. Attackers can obtain organization membership details, assigned roles, subscription and trial status, and critical Personally Identifiable Information (PII) such as the <code>management_email</code> for any user whose UUID they can guess or enumerate. This direct access to user data without authentication poses a severe privacy risk and can be leveraged for further social engineering, targeted phishing, or identity theft. The scope of impact is potentially all users registered on a vulnerable Capgo instance.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-56226 immediately by updating Capgo to version 12.128.2 or later.</li>
<li>Deploy the Sigma rule &quot;Detects CVE-2026-56226 Exploitation - Unauthenticated Capgo Data Retrieval&quot; to your SIEM to identify attempts to exploit this vulnerability.</li>
<li>Review webserver access logs for the specific <code>cs-uri-stem</code> <code>/rest/v1/rpc/get_orgs_v6</code> for successful POST requests (<code>sc-status: 200</code>) from untrusted IP addresses or sources indicating potential exploitation.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>api-exploitation</category><category>data-exfiltration</category><category>webserver</category><category>supabase</category></item></channel></rss>