Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable Supabase API (AV:N), straightforward UPDATE once authenticated (AC:L), requires existing admin role (PR:H), no UI; full integrity/availability impact via super_admin takeover, no new confidentiality exposure beyond admin's existing reads.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Capgo before 12.128.2 contains a broken row level security policy in the org_users table that allows authenticated users to elevate privileges from admin to super_admin. Attackers can exploit the insufficient RLS enforcement to gain unauthorized super_admin access and compromise system security.
AnalysisAI
Privilege escalation in Capgo before 12.128.2 allows authenticated users holding the admin role to elevate themselves to super_admin by abusing a broken row-level security (RLS) policy on the org_users table. No public exploit identified at time of analysis, but a vendor patch is available and the flaw was disclosed by VulnCheck through a GitHub Security Advisory.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must already be authenticated to the Capgo backend and hold the admin role within an organization (CVSS PR:H), and the target instance must be running Capgo earlier than 12.128.2 with the default org_users RLS policy in place; no user interaction or non-default toggle is required and the attack vector is network-reachable Supabase/PostgREST endpoints (AV:N, UI:N, AT:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H scores 7.0 (High) and is internally consistent with the description: an attacker must already hold high privileges (an organization admin account), but once authenticated they can fully compromise integrity and availability of the tenant by becoming super_admin, with no confidentiality impact tagged because reads were already permitted at the admin tier. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has compromised or legitimately obtained an organization-level admin account in a multi-tenant Capgo deployment issues an authenticated UPDATE against the org_users row representing themselves, setting role to super_admin; the broken RLS policy fails to reject the change, and the attacker then uses the elevated super_admin context to read or tamper with any organization's update channels and push malicious OTA payloads to downstream mobile apps. No public exploit code has been identified at time of analysis, but the technique is straightforward once admin access is held. |
| Remediation | Vendor-released patch: Capgo 12.128.2 - upgrade self-hosted instances to 12.128.2 or later as documented in GHSA-9xqh-f26v-9c9h (https://github.com/Cap-go/capgo/security/advisories/GHSA-9xqh-f26v-9c9h). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and document all Capgo deployments and current versions across your infrastructure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tamperin
Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a mal
Account pre-registration hijack in Capgo before 12.128.2 lets a remote unauthenticated attacker claim an account under a
Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering
Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpo
Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing
Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a pat
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_se
Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (
Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindin
Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38168
GHSA-phvp-mxhx-w4fp