Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network-reachable RPC with low complexity (PR:N/AV:N/AC:L), but it leaks only organization existence, so confidentiality is Low and integrity/availability are None.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Capgo (Cap-go/capgo) before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST SECURITY DEFINER RPC function public.rescind_invitation that allows unauthenticated attackers to enumerate organization existence. The function returns distinct error messages (NO_ORG vs NO_RIGHTS) when called with only a publishable API key, enabling attackers to discover valid organization IDs and increase the attack surface for targeted phishing or social engineering campaigns.
AnalysisAI
Unauthenticated organization enumeration in Capgo before 12.128.2 lets attackers abuse the Supabase PostgREST SECURITY DEFINER RPC public.rescind_invitation, which returns distinguishable NO_ORG versus NO_RIGHTS errors when invoked with only a publishable (anon) API key. This oracle lets remote unauthenticated attackers confirm which organization IDs exist, building a target list for follow-on phishing and social engineering. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the Capgo/Supabase backend expose the SECURITY DEFINER RPC public.rescind_invitation to the anonymous role, and that the attacker possess the publishable (anon) API key - which is by design embedded in and extractable from the distributed client app, so it is effectively public rather than a real barrier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H) yields 8.7, but the VC:H (high confidentiality) rating appears inflated for what is fundamentally existence enumeration: the function leaks whether an org ID is valid, not its contents, credentials, or PII, so real-world confidentiality impact is closer to Low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding only the app's publicly embedded Supabase publishable (anon) API key scripts repeated calls to the rescind_invitation RPC across a range of organization IDs. By observing whether each call returns NO_ORG or NO_RIGHTS, they compile a list of valid organizations and then launch targeted phishing against those tenants. … |
| Remediation | Vendor-released patch: upgrade Capgo to 12.128.2 or later, which corrects the rescind_invitation function's error handling. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: verify your Capgo version (vulnerable before 12.128.2) and audit all publishable API keys currently deployed; if vulnerable, restrict API key access to internal networks and trusted IP ranges only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tamperin
Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a mal
Account pre-registration hijack in Capgo before 12.128.2 lets a remote unauthenticated attacker claim an account under a
Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering
Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpo
Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing
Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a pat
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_se
Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (
Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindin
Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited
Same weakness CWE-203 – Observable Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44623
GHSA-q5cf-73cv-r7f2