Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
PR:N confirmed by public anon key access; C:L only as disclosed data is billing plan metadata, not credentials or application content.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.get_current_plan_max_org RPC function that allows unauthenticated attackers to retrieve arbitrary organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase key to disclose billing information including MAU, bandwidth, storage, and build time limits for any organization.
AnalysisAI
Unauthenticated cross-tenant information disclosure in Capgo before 12.128.2 exposes billing plan metadata for arbitrary organizations via an improperly authorized Supabase RPC function. Any network-accessible attacker possessing only the public Supabase anon key can call the public.get_current_plan_max_org endpoint with any organization UUID to retrieve MAU limits, bandwidth, storage, and build time plan data belonging to unrelated tenants. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication is required - the attack leverages only the public Supabase anon key, which is a non-secret, client-embeddable credential by design in the Supabase architecture. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.9 with vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N accurately reflects that the attack is trivially executable over the network without authentication, but impact is bounded to low confidentiality - billing plan metadata only, not credentials or application data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker retrieves Capgo's public Supabase anon key - which is by design embeddable in client apps and may be found in mobile app bundles, JavaScript sources, or public documentation - then crafts an HTTP POST to the Supabase RPC endpoint `public.get_current_plan_max_org` supplying a target organization's UUID as the parameter. The server returns the organization's billing plan metadata including MAU, bandwidth, storage, and build time limits without verifying the caller's relationship to that organization. … |
| Remediation | Upgrade Capgo to version 12.128.2 or later, which patches the authorization logic in the `public.get_current_plan_max_org` RPC function to enforce caller-organization ownership checks. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tamperin
Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a mal
Account pre-registration hijack in Capgo before 12.128.2 lets a remote unauthenticated attacker claim an account under a
Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering
Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpo
Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing
Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a pat
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_se
Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (
Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindin
Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38370