Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote, unauthenticated (public anon key), no user interaction; read-only PII/org disclosure gives C:H with no integrity or availability impact and unchanged scope.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Capgo (Cap-go/capgo) before 12.128.2 exposes the Supabase PostgREST RPC function public.get_orgs_v6(userid uuid), which is SECURITY DEFINER and granted to the anon role, allowing unauthenticated access. Because the function accepts a caller-supplied user UUID without verifying it matches the authenticated user, an attacker using only the public publishable API key can query POST /rest/v1/rpc/get_orgs_v6 with an arbitrary user UUID to retrieve that user's organization membership, roles, subscription/trial metadata, and management_email (PII).
AnalysisAI
Broken access control in Capgo (the Capacitor live-update/OTA platform) before 12.128.2 lets any unauthenticated caller holding only the public publishable API key read arbitrary users' organization data. The Supabase PostgREST RPC function public.get_orgs_v6 runs as SECURITY DEFINER and is granted to the anon role, yet trusts a caller-supplied user UUID instead of the authenticated identity, exposing org membership, roles, subscription/trial metadata, and the management_email PII. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerable deployment must be running Capgo prior to 12.128.2 with the public.get_orgs_v6 RPC present and EXECUTE granted to the anon role (the default in affected versions), reachable over the network via the Supabase PostgREST endpoint /rest/v1/rpc/get_orgs_v6. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H, base 8.7) is internally consistent with the description: fully remote, no authentication, no user interaction, and high confidentiality impact with no integrity or availability effect - this is a read-only data-disclosure bug, not code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained the app's publicly shipped Supabase publishable/anon key (extractable from any Capgo-powered mobile binary or web client) sends POST /rest/v1/rpc/get_orgs_v6 with a target user's UUID in the body. The server returns that user's organization memberships, roles, subscription/trial details, and management_email, which the attacker scripts across many UUIDs to bulk-harvest PII. … |
| Remediation | Vendor-released patch: upgrade to Capgo 12.128.2 or later, which corrects the function's authorization handling. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify deployed Capgo version; review access logs for the public.get_orgs_v6 function for suspicious access patterns indicating possible exploitation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42248
GHSA-fw56-3v5m-f44w