Skip to main content

Capgo CVE-2026-56284

| EUVDEUVD-2026-42253 MEDIUM
Information Exposure (CWE-200)
2026-07-08 disclosure@vulncheck.com GHSA-9wm3-r7wr-vg47
6.9
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-reachable with no auth (public key is not a secret); low confidentiality impact as only usage metrics are exposed, no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 15:02 vuln.today
Patch available
Jul 08, 2026 - 15:01 EUVD

DescriptionCVE.org

Capgo (Cap-go/capgo) before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST RPC function public.get_total_metrics(org_id), which is callable by the anon role using only the public sb_publishable_* key. An unauthenticated attacker can probe organization existence and leak sensitive usage metrics including MAU, bandwidth, and install counts by sending POST requests to /rest/v1/rpc/get_total_metrics with valid organization UUIDs.

AnalysisAI

Unauthenticated information disclosure in Capgo (Cap-go/capgo) before 12.128.2 exposes sensitive organization metrics through a misconfigured Supabase PostgREST RPC endpoint. The Supabase function public.get_total_metrics(org_id) is accessible to the anon role using only the publicly distributed sb_publishable_* key, meaning any external party can query it without credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Extract public sb_publishable_* key from mobile app
Delivery
Send POST to /rest/v1/rpc/get_total_metrics with anon role
Exploit
Supply target organization UUID
Execution
Receive MAU/bandwidth/install metrics
Persist
Enumerate additional org UUIDs
Impact
Aggregate competitive intelligence

Vulnerability AssessmentAI

Exploitation No special conditions are required beyond possessing the public sb_publishable_* API key, which is distributed within every Capgo-integrated mobile application and is not a secret credential. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.9 with vector AV:N/AC:L/AT:N/PR:N/UI:N reflects straightforward network-reachable exploitation requiring no authentication and no special conditions, which accurately characterizes this flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains the Capgo sb_publishable_* API key, which is embedded in any Capgo-integrated mobile application and therefore publicly extractable via app decompilation or network traffic inspection. The attacker then sends POST requests to https://[capgo-instance]/rest/v1/rpc/get_total_metrics with sequential or guessed organization UUIDs as the org_id parameter, using the public key in the Authorization header. …
Remediation Upgrade Capgo to version 12.128.2 or later, which is the vendor-confirmed patched release per the advisory at https://github.com/Cap-go/capgo/security/advisories/GHSA-h5jf-xgvh-hgjw. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56284 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy