Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network RPC call with a public key (AV:N/AC:L/PR:N/UI:N); discloses membership and emails only, so C:H and I:A:N, scope unchanged.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.get_org_user_access_rbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. Attackers can exploit improper NULL comparison in the authorization gate to disclose organization membership, roles, and email addresses via the PostgREST RPC endpoint using only a public API key.
AnalysisAI
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindings and member email addresses through the public.get_org_user_access_rbac PostgREST RPC endpoint. An improper NULL comparison in the authorization gate fails open, so anyone holding only a public API key can enumerate org membership, assigned roles, and emails. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only network reachability to the Capgo PostgREST RPC endpoint and a public (anon) API key, which is intended to be publicly distributable; no user account, authentication, or user interaction is needed (AV:N/AC:L/AT:N/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a genuine, easy-to-trigger confidentiality issue rather than an inflated score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who knows a target organization's public (anon) Capgo API key - which is shipped client-side and not secret - sends a single crafted RPC call to the PostgREST get_org_user_access_rbac endpoint. Because the NULL authorization check fails open for the unauthenticated session, the endpoint returns the org's RBAC role bindings and member email addresses, which the attacker harvests for targeted phishing or social-engineering of high-privilege members. … |
| Remediation | Vendor-released patch: upgrade Capgo to version 12.128.2 or later, which corrects the NULL comparison in the public.get_org_user_access_rbac authorization gate; follow the fix details in GitHub advisory GHSA-vvm7-xhcj-m94h (https://github.com/Cap-go/capgo/security/advisories/GHSA-vvm7-xhcj-m94h) and the VulnCheck advisory (https://www.vulncheck.com/advisories/capgo-unauthenticated-rbac-bindings-and-email-disclosure-via-get-org-user-access-rbac-null-auth-bypass). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Verify Capgo version in use and assess scope of exposed organizational data (member count, role assignments, email scope). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tamperin
Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a mal
Account pre-registration hijack in Capgo before 12.128.2 lets a remote unauthenticated attacker claim an account under a
Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering
Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpo
Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing
Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a pat
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_se
Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (
Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse
Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited
Privilege escalation in Capgo before 12.128.2 lets an authenticated org admin assign org-scoped RBAC roles at the narrow
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40627
GHSA-f484-qgwx-c6gr