Skip to main content

Capgo CVE-2026-56251

| EUVDEUVD-2026-38168 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-06-21 VulnCheck GHSA-phvp-mxhx-w4fp
7.0
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable Supabase API (AV:N), straightforward UPDATE once authenticated (AC:L), requires existing admin role (PR:H), no UI; full integrity/availability impact via super_admin takeover, no new confidentiality exposure beyond admin's existing reads.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 22, 2026 - 06:05 vuln.today
Patch available
Jun 21, 2026 - 15:31 EUVD

DescriptionCVE.org

Capgo before 12.128.2 contains a broken row level security policy in the org_users table that allows authenticated users to elevate privileges from admin to super_admin. Attackers can exploit the insufficient RLS enforcement to gain unauthorized super_admin access and compromise system security.

AnalysisAI

Privilege escalation in Capgo before 12.128.2 allows authenticated users holding the admin role to elevate themselves to super_admin by abusing a broken row-level security (RLS) policy on the org_users table. No public exploit identified at time of analysis, but a vendor patch is available and the flaw was disclosed by VulnCheck through a GitHub Security Advisory.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain admin credentials in target org
Delivery
Authenticate to Capgo Supabase API
Exploit
Send UPDATE on own org_users row setting role=super_admin
Execution
Broken RLS policy accepts the change
Persist
Operate with super_admin across all tenants
Impact
Push malicious OTA update or exfiltrate cross-tenant data

Vulnerability AssessmentAI

Exploitation The attacker must already be authenticated to the Capgo backend and hold the admin role within an organization (CVSS PR:H), and the target instance must be running Capgo earlier than 12.128.2 with the default org_users RLS policy in place; no user interaction or non-default toggle is required and the attack vector is network-reachable Supabase/PostgREST endpoints (AV:N, UI:N, AT:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H scores 7.0 (High) and is internally consistent with the description: an attacker must already hold high privileges (an organization admin account), but once authenticated they can fully compromise integrity and availability of the tenant by becoming super_admin, with no confidentiality impact tagged because reads were already permitted at the admin tier. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised or legitimately obtained an organization-level admin account in a multi-tenant Capgo deployment issues an authenticated UPDATE against the org_users row representing themselves, setting role to super_admin; the broken RLS policy fails to reject the change, and the attacker then uses the elevated super_admin context to read or tamper with any organization's update channels and push malicious OTA payloads to downstream mobile apps. No public exploit code has been identified at time of analysis, but the technique is straightforward once admin access is held.
Remediation Vendor-released patch: Capgo 12.128.2 - upgrade self-hosted instances to 12.128.2 or later as documented in GHSA-9xqh-f26v-9c9h (https://github.com/Cap-go/capgo/security/advisories/GHSA-9xqh-f26v-9c9h). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and document all Capgo deployments and current versions across your infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Capgo

View all
CVE-2026-56237 CRITICAL
9.3 Jun 24

Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tamperin

CVE-2026-56223 CRITICAL
9.3 Jun 24

Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a mal

CVE-2026-56081 CRITICAL
9.3 Jun 19

Account pre-registration hijack in Capgo before 12.128.2 lets a remote unauthenticated attacker claim an account under a

CVE-2026-56073 CRITICAL
9.3 Jun 19

Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering

CVE-2026-56324 HIGH
8.8 Jun 22

Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpo

CVE-2026-56245 HIGH
8.8 Jun 24

Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing

CVE-2026-56233 HIGH
8.7 Jun 30

Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a pat

CVE-2026-56323 HIGH
8.7 Jun 22

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_se

CVE-2026-56305 HIGH
8.7 Jul 10

Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (

CVE-2026-56300 HIGH
8.7 Jun 30

Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse

CVE-2026-56219 HIGH
8.7 Jun 30

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindin

CVE-2026-56230 HIGH
8.7 Jun 30

Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited

Share

CVE-2026-56251 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy