Skip to main content

Capgo

89 CVEs product

Monthly

CVE-2026-56339 HIGH PATCH This Week

Unauthenticated organization enumeration in Capgo before 12.128.2 lets attackers abuse the Supabase PostgREST SECURITY DEFINER RPC public.rescind_invitation, which returns distinguishable NO_ORG versus NO_RIGHTS errors when invoked with only a publishable (anon) API key. This oracle lets remote unauthenticated attackers confirm which organization IDs exist, building a target list for follow-on phishing and social engineering. Reported by VulnCheck; no public exploit code and no CISA KEV listing at time of analysis.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
8.7
CVE-2026-56336 MEDIUM PATCH This Month

Unauthenticated information disclosure in Capgo's /private/sso/check-domain endpoint exposes internal org_id and provider_id values to any network-reachable attacker. All Capgo deployments prior to version 12.128.2 are affected, with the vulnerable endpoint accessible without credentials. An attacker can systematically enumerate email domains against this endpoint to construct a detailed mapping of domains to organization UUIDs and SSO provider identifiers, enabling targeted reconnaissance against Capgo tenants - no public exploit identified at time of analysis.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56313 HIGH PATCH This Week

Cross-organization account disruption in Capgo before 12.128.2 lets an enterprise administrator in one organization destroy the email/password login of users belonging to different organizations. By abusing the SSO prelink-users endpoint, an attacker holding the org.update_settings permission with an active SSO provider can permanently remove password identities for any user whose email matches the provider's domain, locking victims out of native authentication and forcing them onto the attacker's SSO or a password-reset recovery flow. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was reported by VulnCheck.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.3%
CVE-2026-56308 HIGH PATCH This Week

Account takeover in Capgo before 12.128.2 arises because the email-change endpoint performs no current-password re-authentication and no verification of the existing email address, letting an attacker who already holds a valid session cookie or an authenticated browser silently repoint the account email. By seizing the recovery address, the attacker captures password-reset flows and sidesteps multi-factor authentication, converting a hijacked session into durable full account control. There is no public exploit identified at time of analysis, but the flaw is vendor-confirmed via GitHub Security Advisory GHSA-9px4-w25f-mvm4 and reported by VulnCheck.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.2%
CVE-2026-56281 MEDIUM PATCH This Month

SQL injection in Capgo's POST /private/admin_stats endpoint allows platform administrators to inject arbitrary SQL fragments into Cloudflare Analytics Engine queries via an unsanitized limit parameter. Affected versions are all Capgo releases before 12.128.2. An attacker holding valid platform admin credentials can exploit this to enumerate analytics dataset schemas, extract analytics data, or cause denial-of-service against the analytics backend. No public exploit has been identified at time of analysis, and the high-privilege requirement (PR:H) substantially limits realistic blast radius.

SQLi Capgo
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-56252 MEDIUM PATCH This Month

Scope isolation failure in Capgo's POST /webhooks/test endpoint allows authenticated app-scoped API keys to invoke org-scoped webhook operations, bypassing the intended limited_to_apps authorization boundary. All Capgo instances prior to version 12.128.2 are affected, enabling credential holders with narrow, app-level access to trigger signed outbound webhook deliveries targeting arbitrary organization webhooks they should not control. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the CVSS 4.0 vector (PR:L, AV:N) confirms low-privilege network exploitation is straightforward once credentials are in hand.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56241 HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 lets demoted super_admin users retain organization-wide bundle management rights because the org_users.user_right column is not cleared when their role binding is deleted. A user who once held super_admin can continue invoking the delete_non_compliant_bundles and count_non_compliant_bundles RPCs to enumerate and bulk-delete non-compliant bundles across the entire organization indefinitely, well after their privileges were supposedly revoked. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Privilege Escalation Capgo
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-56238 HIGH PATCH This Week

Unauthenticated information disclosure in Capgo before 12.128.2 exposes confidential business metrics through the Supabase PostgREST /rest/v1/global_stats endpoint, which lacks row-level security enforcement. Any remote party holding only the public (anon) Supabase apikey - a value embedded in Capgo client apps and therefore trivially obtainable - can read MRR, total and plan-tier revenue, customer counts, and operational telemetry. Reported by VulnCheck via a GitHub security advisory; no public exploit code or active exploitation has been identified at time of analysis, though the CVSS 4.0 score of 8.7 reflects high confidentiality impact with no barriers to access.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-56303 HIGH PATCH This Week

Unauthenticated API key metadata disclosure in Capgo before 12.128.2 stems from the find_apikey_by_value PostgreSQL function being marked SECURITY DEFINER and granted to the anon role, allowing anyone to call it through the PostgREST endpoint /rest/v1/rpc/find_apikey_by_value. When supplied a valid key value, an attacker retrieves sensitive metadata about that key - user_id, mode, organization scoping, and expiration details - bypassing normal row-level security. Reported by VulnCheck with CVSS 4.0 8.7 (High); no public exploit identified at time of analysis and it is not listed in CISA KEV.

PostgreSQL Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56296 MEDIUM PATCH This Month

Information disclosure in Capgo (Cap-go) before 12.128.2 allows unauthenticated network attackers to enumerate valid app IDs by observing differential error responses from the public.transfer_app RPC endpoint, requiring only a publishable API key. The root cause is a CWE-203 observable discrepancy: the endpoint returns distinguishable error messages depending on whether a supplied app ID exists or not, functioning as an existence oracle. No active exploitation is confirmed (not in CISA KEV), but the low barrier to exploitation - network-accessible, no authentication beyond a publishable key - makes this a practical reconnaissance primitive against Capgo-hosted applications.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56240 MEDIUM PATCH This Month

Billing authorization bypass in Capgo (prior to 12.128.12) enables authenticated organizations with exhausted or expired usage credit grants to continue consuming paid API endpoints without valid entitlement. The divergence between the plugin's hot-path plan_valid expression and the authoritative billing gate creates a logic gap exploitable by any organization that reaches credit depletion, granting continued access to /updates, /stats, /channel_self, and attachment upload endpoints. No public exploit or CISA KEV listing exists at time of analysis, but the low attack complexity and network accessibility make this straightforward for any affected account holder to abuse.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56335 HIGH PATCH This Week

Improper access control in Capgo before 12.128.2 lets holders of write-scoped API keys directly mutate protected channel configuration fields (such as public, allow_emulator, and security-related flags) through the PostgREST data layer, bypassing intended application route restrictions. The flaw stems from a null authentication check in the database immutability trigger, allowing a low-privileged but authenticated actor to alter integrity-sensitive delivery settings for a Capacitor live-update backend. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-56329 MEDIUM PATCH This Month

Preview namespace collision in Capgo before 12.128.2 enables authenticated low-privileged tenants to hijack or deny preview routing for other tenants' applications by deliberately registering app IDs containing double underscores that decode identically to a victim's dot-separated app ID. The non-bijective hostname parsing - where `__` maps to `.` but `.` is also a valid app ID character - breaks namespace uniqueness across tenants, allowing cross-tenant preview misrouting. No public exploit has been identified at time of analysis, and no CISA KEV listing exists; real-world impact is confined to preview functionality, not production app delivery.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56312 MEDIUM PATCH This Month

Capgo's accept_invitation endpoint creates user accounts before captcha validation is enforced, allowing unauthenticated remote attackers to bypass captcha entirely by submitting POST requests with invalid captcha tokens. This logic-ordering flaw enables automated account creation and exhaustion of invite links against any Capgo instance running versions prior to 12.128.2. No public exploit has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56309 MEDIUM PATCH This Month

Plan quota enforcement is missing on the /files/upload/attachments endpoint in Capgo before 12.128.2, allowing upload-scoped API keys to bypass plan restrictions and create publicly readable Cloudflare R2 objects regardless of account standing. Apps that have been plan-blocked or suspended retain the ability to upload arbitrary attachments that persist outside bundle metadata and survive app deletion, enabling sustained storage and bandwidth abuse against the Capgo platform. No public exploit has been identified at time of analysis, and the vulnerability has not been confirmed as actively exploited.

Denial Of Service Capgo
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-56305 HIGH PATCH This Week

Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (CWE-620), letting an attacker who holds any temporary or low-privilege session set a new password without proving they know the old one. Because the CVSS 4.0 vector reflects a low-privilege (PR:L) network attacker with high confidentiality and integrity impact, a hijacked or briefly-borrowed session can be converted into permanent control, locking legitimate users out. No public exploit identified at time of analysis and the flaw is not on CISA KEV, so risk is credible but not confirmed as actively exploited.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-56279 HIGH PATCH This Week

Information disclosure in Capgo before 12.128.2 lets unauthenticated remote attackers call the get_orgs_v7(userid) RPC endpoint with arbitrary user UUIDs to read foreign users' organization memberships, roles, management emails, and billing metadata. The endpoint remained publicly invokable despite intended private access controls, so any internet-facing Capgo deployment on an affected version exposes tenant data cross-account. No public exploit has been identified at time of analysis, though the trivial invocation pattern (supply a UUID) makes weaponization straightforward.

Authentication Bypass Information Disclosure Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56334 MEDIUM PATCH This Month

Missing UPDATE row-level security (RLS) policy on Capgo's build_requests table permits low-privileged API-key holders to perform unauthorized status updates against build pipeline records, corrupting build state by leaving rows permanently stuck in a pending state with null last_error values. Capgo versions before 12.128.2 on all platforms are affected. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, exploitation requires only low-privilege network access with no additional complexity, making it a straightforward post-authentication integrity issue.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56333 MEDIUM PATCH This Month

Server-side validation bypass in Capgo before 12.128.2 allows authenticated organization administrators to write invalid values directly to the public.orgs database table from the browser, circumventing field-level security policy enforcement for parameters such as max_apikey_expiration_days. The root cause is insufficient server-side enforcement in a Supabase-backed architecture where authenticated clients can interact directly with underlying tables without adequate RLS or server-side validation gates. No public exploit has been identified and the vulnerability is not listed in CISA KEV, though the low-complexity attack path makes it trivially executable by any org admin.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56331 MEDIUM PATCH This Month

Improper error handling in Capgo's /private/accept_invitation endpoint before version 12.128.2 allows unauthenticated network attackers to trigger HTTP 500 Internal Server Error responses by submitting malformed magic_invite_string values, leaking internal processing details in violation of CWE-209. Exploitation requires no privileges or user interaction - only the publicly accessible endpoint and knowledge of its path - making any internet-exposed Capgo instance susceptible to targeted reconnaissance. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the risk is constrained to information disclosure that could support a broader attack chain.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56328 HIGH PATCH This Week

Release-routing integrity failure in Capgo before 12.128.2 lets an authorized app or channel manager covertly steer which update bundle unnamed clients receive. Because the platform permits multiple public channels per app/platform to coexist and silently resolves channel-less /updates requests to a single hidden 'winner' channel, a low-privileged insider can manipulate default update state and serve a chosen bundle to clients that did not specify a channel. There is no public exploit identified at time of analysis, and the issue is not in CISA KEV.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56327 MEDIUM PATCH This Month

Unauthenticated organization enumeration in Capgo before 12.128.2 exposes tenant existence through differential error responses in the public.invite_user_to_org SECURITY DEFINER RPC function. Any caller holding a publishable API key - a client-side credential intentionally distributed in mobile apps - can probe arbitrary organization IDs and distinguish NO_ORG from NO_RIGHTS responses, confirming or denying tenant existence at scale. No active exploitation is confirmed (not in CISA KEV) and no public POC has been identified, but the attack barrier is exceptionally low given the freely obtainable key material and the network-accessible default posture.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56320 HIGH PATCH This Week

Broken authorization in Capgo before 12.128.2 lets an authenticated attacker forge device records against any application by supplying an arbitrary org_id to POST /private/create_device, which the backend trusts without checking it matches the target app's owning organization. The CVSS 4.0 score of 7.1 reflects high integrity impact with low privileges required and no user interaction; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56318 MEDIUM PATCH This Month

Organization UUID enumeration in Capgo before 12.128.2 allows unauthenticated remote attackers to confirm the existence of valid organization identifiers by exploiting differential error responses from the /private/validate_password_compliance endpoint. The endpoint returns distinct HTTP status codes and error message bodies depending on whether a submitted organization ID is malformed, non-existent, or valid - functioning as an unauthenticated oracle. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, though automated scripted enumeration is trivially feasible given the low attack complexity (CVSS 4.0 base score 6.9, AV:N/AC:L/PR:N).

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56300 HIGH PATCH This Week

Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse two SECURITY DEFINER RPC functions, get_user_id and get_org_perm_for_apikey, reachable with only the public/anon API key. Attackers can confirm whether a leaked API key is valid, resolve user UUIDs, and read the permission level tied to a key, turning otherwise-uncertain credential leaks into actionable, scoped targets. CVSS 4.0 is 8.7 (High); there is no public exploit identified at time of analysis and it is not in CISA KEV.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56286 HIGH PATCH This Week

Account takeover-style destruction in Capgo before 12.128.2 lets remote attackers delete arbitrary user accounts because the deletion endpoint enforces no password re-authentication or secondary verification (CWE-306, Missing Authentication for a Critical Function). Reported by VulnCheck, the flaw is exploitable through CSRF, session hijacking, or parameter tampering, causing irreversible account removal, data loss, and denial-of-service. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass CSRF Capgo
NVD GitHub
CVSS 4.0
7.0
EPSS
0.4%
CVE-2026-56249 HIGH PATCH This Week

Privilege-bound authorization bypass in Capgo before 12.128.2 lets any authenticated user holding the app.create_channel permission overwrite existing channels by reusing their names, hijacking ownership and rewriting production channel configurations. The flaw stems from a logic mismatch between the existence-validation check and the upsert operation in the channel-creation endpoint, enabling tampering with live release channels. No public exploit identified at time of analysis; reported by VulnCheck with a vendor security advisory available.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
7.2
EPSS
0.3%
CVE-2026-56247 HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 lets an authenticated org admin assign org-scoped RBAC roles at the narrower app scope without any validation of scope compatibility, and to do so even for pending (not-yet-accepted) invitees. Because these malformed high-privilege bindings persist through invite acceptance, a nominally low-privilege user who accepts the invite gains unauthorized privileged app-level actions. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56233 HIGH PATCH This Week

Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a path-traversal flaw in the builder upload proxy to reach internal administrative endpoints. By appending traversal sequences to the upload path - which the WHATWG URL parser normalizes - an attacker pivots requests carrying the privileged BUILDER_API_KEY header, turning limited build access into SSRF and elevated server-side privileges. Reported by VulnCheck with a CVSS 4.0 score of 8.7; no public exploit identified at time of analysis.

Privilege Escalation Path Traversal Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-56230 HIGH PATCH This Week

Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited API key by supplying its identifier in the client-controlled x-limited-key-id header, which middlewareKey() trusts without checking ownership. Any low-privilege account can therefore read and act on resources belonging to other tenants across multiple API endpoints. No public exploit identified at time of analysis, though the flaw is trivially reproducible once the key-ID format is known.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56224 MEDIUM PATCH This Month

Session fixation in the Capgo cloud console login endpoint (console.capgo.app/login) allows unauthenticated remote attackers to force victims into attacker-controlled sessions by crafting malicious URLs containing attacker-owned tokens. Versions before 12.128.2 silently accept access_token and refresh_token as URL query parameters and authenticate the user without confirmation, bypassing normal login flows. Tokens passed via URL are additionally exposed in browser history, server access logs, and HTTP Referer headers, creating secondary information-disclosure risk. No public exploit code and no CISA KEV listing exist at time of analysis.

Session Fixation Information Disclosure Capgo
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-56219 HIGH PATCH This Week

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindings and member email addresses through the public.get_org_user_access_rbac PostgREST RPC endpoint. An improper NULL comparison in the authorization gate fails open, so anyone holding only a public API key can enumerate org membership, assigned roles, and emails. No public exploit has been identified at time of analysis, and the flaw discloses data only (no integrity or availability impact), but the CVSS 4.0 score of 8.7 reflects easy, unauthenticated, network-reachable confidentiality loss.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56338 MEDIUM PATCH This Month

Denial of service in Capgo's /auth/v1/otp endpoint blocks email-based 2FA enrollment for authenticated users in all versions before 12.128.2. The backend captcha validation subsystem fails to handle exceptions gracefully, consistently returning HTTP 500 errors and preventing users from completing two-factor authentication setup. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the impact is security-control degradation: users cannot activate 2FA, leaving accounts with only single-factor protection.

Denial Of Service Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56337 MEDIUM PATCH This Month

Unauthenticated app enumeration in Capgo before 12.128.2 allows remote attackers to determine whether specific app_ids exist across all tenants by querying the exposed exist_app_v2 RPC endpoint without credentials. The root cause is a PostgreSQL SECURITY DEFINER function that executes with elevated owner privileges, bypassing row-level security policies and enabling cross-tenant information disclosure via the PostgREST API at POST /rest/v1/rpc/exist_app_v2. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code is identified at time of analysis, though the attack requires no authentication and trivial HTTP tooling.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56310 MEDIUM PATCH This Month

Authorization bypass in Capgo (cap-go before 12.128.2) allows holders of org-limited API keys to read membership data from organizations outside their assigned scope by calling the GET /organization/members endpoint without proper enforcement of limited_to_orgs restrictions. Exposed fields include uid, email, image_url, role, and is_tmp - sufficient to enumerate organization membership and email addresses across tenants. No public exploit identified at time of analysis; CVSS 4.0 scores this at 5.3 reflecting a low-privilege, network-accessible attack with limited confidentiality impact.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56302 MEDIUM PATCH This Month

Unauthenticated remote attackers can read, insert, and delete stored app icons in Capgo (all versions before 12.128.2) due to a Supabase images bucket entirely lacking row-level security (RLS) controls. Exploitation leaks sensitive app IDs and user IDs embedded in bucket metadata, and enables full icon deletion causing visual degradation of hosted applications. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in version 12.128.2.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56257 HIGH PATCH This Week

Authorization bypass in Capgo before 12.128.2 allows authenticated users to directly modify the public.apps.owner_org column via PostgREST, circumventing the intended transfer_app() workflow. Successful exploitation creates a split-brain ownership state where apps.owner_org and app_versions.owner_org diverge, letting the original organization's API keys retain access to version data while the new owning organization controls the app record. No public exploit identified at time of analysis.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56256 HIGH PATCH This Week

Two-factor authentication bypass in Capgo before 12.128.2 allows an authenticated admin who has not completed 2FA enrollment to perform privileged organization management actions by replaying or modifying captured API requests. The flaw stems from 2FA being enforced exclusively in the frontend UI while the backend ORG management endpoints accept requests without verifying 2FA completion. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56245 HIGH PATCH This Week

Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing and quota records by invoking the SECURITY DEFINER record_build_time RPC with only a public anon API key. The flaw stems from missing authorization inside a privilege-elevated PostgREST function, enabling arbitrary build-time inserts against any organization. No public exploit identified at time of analysis, but the trivial network-reachable invocation pattern makes weaponization straightforward.

Privilege Escalation Denial Of Service Capgo
NVD GitHub
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-56244 HIGH PATCH This Week

Webhook signing secret disclosure in Capgo prior to 12.128.2 allows authenticated holders of non-admin API keys to read the webhook signing secret directly from the Supabase REST-exposed webhooks table because row-level security policies are too permissive. Once obtained, the secret lets the attacker forge valid X-Capgo-Signature headers and submit spoofed webhook events to any configured receiver, undermining webhook authenticity and integrity. No public exploit identified at time of analysis.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56237 CRITICAL PATCH Act Now

Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tampering with a client-side parameter in the key generation request, because the backend never validates that keys are server-generated or bound to the authenticated user. The forged keys grant access to protected endpoints, yielding full confidentiality and integrity compromise of tenant data. No public exploit identified at time of analysis, but the flaw is trivially reproducible from any HTTP client.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-56232 HIGH PATCH This Week

Authorization bypass in Capgo before 12.128.2 allows authenticated users with valid subkeys to escape scope restrictions by supplying their own subkey identifier in the x-limited-key-id header, causing middlewareKey to fall back to the unrestricted parent key. With CVSS 4.0 of 8.7 and high impact across confidentiality, integrity, and availability, exploitation only requires low-privileged API access, though no public exploit identified at time of analysis.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56231 HIGH PATCH This Week

Cross-tenant build sabotage in Capgo before 12.128.2 allows authenticated users with the app.build_native permission to start or cancel arbitrary builder jobs belonging to other tenants by supplying a victim jobId to the /build/start/:jobId and /build/cancel/:jobId endpoints. The handlers trust the attacker-supplied app_id in the request body and never verify jobId ownership, enabling denial of service, unauthorized compute consumption, and billing impact across tenants. No public exploit identified at time of analysis.

Authentication Bypass Denial Of Service Capgo
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-56223 CRITICAL PATCH Act Now

Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a malicious IdP to forge SAML assertions and merge arbitrary victim accounts based solely on email match. The provision-user endpoint fails to validate that the asserting SSO provider is authorized for the victim's email domain, granting full takeover of accounts, organizations, and data. No public exploit identified at time of analysis; CVSS 4.0 base is 9.3 (Critical) reflecting high impact across both vulnerable and subsequent systems.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-56322 HIGH PATCH This Week

Information disclosure in Capgo before 12.128.2 allows unauthenticated remote attackers to enumerate private update channels via the /updates endpoint, because the defaultChannel parameter is resolved before privacy restrictions are enforced. Response differences let attackers distinguish valid private channels from nonexistent ones and harvest assigned bundle versions plus platform-specific configuration state. No public exploit identified at time of analysis, though VulnCheck has published an advisory describing the technique.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56248 HIGH PATCH This Week

Unauthenticated denial of service in Cap-go capgo (capgo-backend) before 12.128.12 allows remote attackers to exhaust PostgreSQL resources by sending unfiltered queries to the public.audit_logs PostgREST endpoint using the public anon key. Because the query planner runs expensive logic before Row-Level Security rejection, repeated requests trigger statement timeouts (error 57014) and cascade into HTTP 500 failures on unrelated endpoints such as /orgs. No public exploit identified at time of analysis, though the technique is fully described in the GHSA advisory.

Denial Of Service PostgreSQL Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-56243 HIGH PATCH This Week

Authentication bypass in Capgo before 12.128.2 allows authenticated attackers to defeat the org-level hashed-API-key control by submitting plaintext API keys via the capgkey header directly to the PostgREST/RLS plane. Despite the enforce_hashed_api_keys setting being toggled on, the data plane fails to honor that policy, granting access to protected resources. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-56234 MEDIUM PATCH This Month

Unauthenticated access to Capgo's credential validation endpoint before version 12.128.2 enables large-scale password spraying and credential stuffing attacks against user accounts. The `POST /functions/v1/private/validate_password_compliance` Supabase Edge Function accepts requests using only the publicly distributed anon key - a client-side secret embedded in shipped app binaries - with no rate limiting or lockout enforcement. Combined with wildcard CORS headers, any browser-side or scripted attacker can systematically validate username/password pairs at scale, ultimately compromising Capgo accounts and potentially tampering with mobile app live update pipelines. No public exploit code has been identified at time of analysis, but the attack is trivially automatable given the absence of access controls.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56225 HIGH PATCH This Week

Authorization bypass in Capgo before 12.128.2 lets authenticated holders of an app-scoped public API key enumerate, modify, or delete other API keys on the same account that belong to different applications. The flaw stems from missing limited_to_apps enforcement in the get/put/delete/post key-management handlers, which only validate the limited_to_orgs scope. No public exploit identified at time of analysis, though the issue is disclosed via a GitHub Security Advisory and VulnCheck.

Privilege Escalation Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56222 HIGH PATCH This Week

Cross-tenant authorization bypass in Capgo before 12.128.2 allows organization administrators to attach role bindings to applications owned by other organizations via the POST /private/role_bindings endpoint, which validates org membership but not app_id ownership. Successful exploitation grants unauthorized read and modification access to victim applications across tenant boundaries. No public exploit identified at time of analysis, but a vendor advisory (GHSA-5r52-m8r9-7f8x) and VulnCheck disclosure confirm the issue.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-56324 HIGH PATCH This Week

Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpoint by rotating the client-supplied device_id parameter, defeating per-device throttling. Sustained abuse writes unbounded rows into the channel_devices table, exhausting database resources and degrading or denying service to legitimate users. No public exploit identified at time of analysis, but the attack is trivial to script given CVSS 4.0 AV:N/AC:L/PR:N/UI:N.

Denial Of Service Capgo
NVD GitHub
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-56323 HIGH PATCH This Week

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_self endpoint with arbitrary app_id values to enumerate private rollout channels, confirm the existence of tenant applications, and extract subscription/billing status. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects trivial network-level abuse against default deployments. The flaw enables cross-tenant reconnaissance that can seed further targeted attacks against high-value Capgo users.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-56321 MEDIUM PATCH This Month

Capgo's Supabase edge function backend (versions before 12.128.2) inconsistently applies global authentication middleware across HTTP methods on the /private/role_bindings/:org_id endpoint - GET requests reach the handler unauthenticated while POST and DELETE are gated by middleware. The handler currently performs its own authorization check and rejects unauthenticated callers, so no data is exposed in the current implementation. This is a CWE-306 defense-in-depth failure: the middleware gap creates latent risk that any future relaxation of handler-level logic could silently permit unauthenticated access to organization role binding data, with no public exploit identified at time of analysis.

Authentication Bypass Information Disclosure Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56314 HIGH PATCH This Week

Logic flaw in Capgo before 12.128.12 lets authenticated attackers continue serving soft-deleted application bundles to end-user devices because the /updates endpoint omits an app_versions.deleted filter when joining channels. Affected operators of the Capgo live-update service (a CodePush-style OTA platform for Capacitor mobile apps) can have purged bundles re-selected and pushed downstream, undermining rollback and removal workflows. No public exploit identified at time of analysis and the issue is not present in CISA KEV.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-56311 MEDIUM PATCH This Month

Unauthenticated cross-tenant information disclosure in Capgo before 12.128.2 exposes billing plan metadata for arbitrary organizations via an improperly authorized Supabase RPC function. Any network-accessible attacker possessing only the public Supabase anon key can call the `public.get_current_plan_max_org` endpoint with any organization UUID to retrieve MAU limits, bandwidth, storage, and build time plan data belonging to unrelated tenants. No active exploitation is confirmed by CISA KEV, and no public exploit code has been identified at time of analysis.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56306 MEDIUM PATCH This Month

Subkey permission bypass in Capgo before 12.128.2 allows authenticated API users to escalate from restricted subkey scope to full main API key privileges by sending malformed x-limited-key-id header values. The parsing flaw - triggered by submitting zero, NaN-coercible, or duplicate header values - causes the subkey scoping enforcement to evaluate to falsy, silently falling through to the unrestricted main API key context. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, but the bypass is mechanically straightforward for any holder of a valid subkey credential.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-56280 HIGH PATCH This Week

Privilege inversion in Cap-go (Capgo) before 12.128.2 lets holders of read-only API keys cancel running native builds by abusing the GET /build/logs/:jobId SSE endpoint. On client disconnect the server invokes cancelBuildOnDisconnect() using the privileged BUILDER_API_KEY, bypassing the app.build_native permission enforced on POST /build/cancel/:jobId. No public exploit identified at time of analysis, but the issue is trivially reproducible against any deployment exposing the log stream.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-56255 MEDIUM PATCH This Month

Unenforced resource limits on the POST /app/demo endpoint in Capgo before 12.128.2 allow any authenticated user holding org write permissions to create unlimited demo applications, each triggering approximately 138 database write operations. Sustained abuse degrades platform performance, inflates infrastructure costs, and can cause service instability for all tenants sharing the backend. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low exploitation complexity for any org-level member makes compromised-account or insider-threat scenarios operationally realistic.

Denial Of Service Capgo
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-56221 HIGH PATCH This Week

SQL injection in Capgo (cap-go) before 12.128.2 allows authenticated users with read-level API keys to access analytics data belonging to other tenants by injecting arbitrary SQL through multiple unparameterized parameters in cloudflare.ts. The flaw stems from direct string interpolation of request-body values into Cloudflare Analytics Engine queries, enabling cross-tenant data exposure. No public exploit identified at time of analysis, though a VulnCheck advisory and an upstream GitHub Security Advisory document the issue.

SQLi Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-56316 MEDIUM PATCH This Month

Unauthenticated job ID enumeration in Cap-go (Capgo) before version 12.128.2 exposes internal builder job identifiers via observable response discrepancies on the OPTIONS /build/upload/:jobId/* endpoint. Any network-accessible attacker can probe this endpoint without credentials to distinguish valid job IDs from invalid ones, effectively building a map of active build jobs. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the zero-barrier exploitation (no auth, no interaction) and dual impact of information disclosure and incidental resource consumption make it a meaningful exposure for organizations running self-hosted Capgo instances.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56299 MEDIUM PATCH This Month

Authentication bypass in Capgo's /build/upload/:jobId/* endpoint exposes all versions before 12.128.2 to unauthenticated denial of service. Remote attackers exploit HTTP OPTIONS request handling to sidestep authentication middleware entirely, forcing tusProxy to execute with invalid credentials and reliably producing HTTP 500 errors at scale. No public exploit code or CISA KEV listing exists at time of analysis, but the trivial attack mechanics - requiring no credentials, tools, or interaction - mean any internet-exposed Capgo instance is at risk of request flooding.

Authentication Bypass Denial Of Service Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-56253 HIGH PATCH This Week

Unauthenticated organization member enumeration in Capgo before 12.128.2 allows remote attackers to harvest email addresses, user IDs, roles, and pending invitations by invoking the public.get_org_members RPC with only a publishable Supabase key and a target organization UUID. The flaw, reported by VulnCheck and tracked as EUVD-2026-38169, carries a CVSS 4.0 score of 8.7 and reflects a broken access control check on a public Postgres RPC. No public exploit identified at time of analysis, but the trivial invocation makes mass scraping straightforward once an org UUID is known.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-56251 HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 allows authenticated users holding the admin role to elevate themselves to super_admin by abusing a broken row-level security (RLS) policy on the org_users table. No public exploit identified at time of analysis, but a vendor patch is available and the flaw was disclosed by VulnCheck through a GitHub Security Advisory.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-56242 HIGH PATCH This Week

Information disclosure in Capgo before 12.128.2 lets remote unauthenticated attackers abuse the security-definer RPC function get_identity_apikey_only to validate arbitrary API keys and map them to owning user_ids. The endpoint functions as an oracle, and results can be chained into other exposed RPCs such as get_orgs_v6 to enumerate organization membership and harvest management email PII. No public exploit identified at time of analysis, though VulnCheck has publicly documented the technique and a vendor patch is available.

Information Disclosure Oracle Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56239 HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 allows authenticated Supabase users to manipulate billing data for arbitrary organizations by invoking the public.apply_usage_overage SECURITY DEFINER function via RPC. The function executes with owner privileges and skips auth.uid(), org membership, and check_min_rights validation, bypassing Row Level Security and enabling fraudulent overage insertion or credit depletion across tenants. No public exploit identified at time of analysis, but vendor and VulnCheck have published advisories and a patched release.

Privilege Escalation Capgo
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-56229 HIGH PATCH This Week

Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated API clients read build status and logs belonging to other applications by combining an authorized app_id with a job_id from a different, unauthorized app. The /build/status and /build/logs endpoints validate the app_id but fail to verify that the supplied job_id actually belongs to that application, exposing logs, metadata, and potentially embedded credentials across tenant boundaries. No public exploit identified at time of analysis, though VulnCheck has published an advisory with technical details.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56332 MEDIUM PATCH This Month

Open redirect in Capgo's confirm-signup endpoint (all versions before 12.128.2) enables unauthenticated remote attackers to craft account confirmation links that silently redirect victims to arbitrary attacker-controlled websites. The unvalidated `confirmation_url` parameter in the confirm-signup flow accepts any external URL without domain allowlisting or sanitization, making legitimate Capgo-sending domains a trusted launchpad for phishing and credential harvesting. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the social engineering amplification risk is significant given the trusted-email-domain context.

Open Redirect Capgo
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-56330 MEDIUM PATCH This Month

Open redirect in Capgo's Stripe billing endpoints (stripe_portal and stripe_checkout) allows authenticated attackers to manipulate the callbackUrl, successUrl, and cancelUrl parameters to silently redirect users to attacker-controlled phishing domains after billing interactions. All Capgo releases before 12.128.2 are affected per vendor advisory GHSA-grc7-98pf-h8hq. Exploitation requires a valid Capgo account (CVSS PR:L) and victim interaction (UI:A), and no public exploit or CISA KEV listing exists at time of analysis; however, the Stripe payment context lends phishing lures unusual credibility, elevating realistic social-engineering risk above what the medium CVSS score alone implies.

Open Redirect Capgo
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-56319 MEDIUM PATCH This Month

Tenant isolation is broken in Capgo's statistics API before version 12.128.2, allowing authenticated holders of app-limited API keys to enumerate app IDs belonging to other tenants across the platform. The GET /statistics/app/:app_id endpoint returns distinct error codes depending on whether a target app exists (500 PGRST116) or is entirely nonexistent (401), creating an oracle that maps real app IDs outside the caller's authorized scope. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 5.3 reflects the authenticated requirement and limited confidentiality impact.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56307 MEDIUM PATCH This Month

Broken cursor pagination in Capgo's /private/devices endpoint on the Cloudflare/workerd runtime path allows authenticated attackers with app.read_devices permission to trigger infinite duplicate-page loops, making later dataset rows permanently unreachable for affected sessions. All Capgo versions before 12.128.12 are vulnerable, and the impact is operational: device-management workflows repeatedly process the same duplicate records while failing to advance through the full dataset. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 5.3 (Medium) reflects limited, availability-only impact scoped to the vulnerable system.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56295 MEDIUM PATCH This Month

Webhook management endpoints in Capgo before 12.128.2 expose an authorization policy bypass that allows holders of non-expiring API keys to circumvent the organization-level require_apikey_expiration policy. The checkWebhookPermission function omits the required call to apikeyHasOrgRightWithPolicy, leaving webhook operations - listing, creating, and deleting - accessible to legacy non-expiring keys even when the organization has explicitly mandated key expiration. No public exploit has been identified at time of analysis, and exploitation requires prior possession of a valid non-expiring API key, targeting organizations that believed their key-expiration policy was uniformly enforced.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56282 MEDIUM PATCH This Month

Unauthenticated access to Capgo's /replication HTTP endpoint exposes internal PostgreSQL replication telemetry to any remote attacker, affecting all versions prior to 12.128.2. Attackers can retrieve replication slot names, WAL LSN positions (confirmed_flush_lsn, restart_lsn), and database error messages without supplying any credentials, enabling database infrastructure reconnaissance. No public exploit code or CISA KEV listing exists at time of analysis, but the zero-complexity unauthenticated attack vector makes opportunistic scanning against internet-exposed Capgo deployments trivially feasible.

Information Disclosure PostgreSQL Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56235 MEDIUM PATCH This Month

Cross-tenant information disclosure in Capgo (cap-go/capgo) before version 12.128.2 exposes per-organization usage telemetry to any caller holding the publicly distributed Supabase API key. Three PostgREST RPC functions - get_app_metrics, get_global_metrics, and get_total_metrics - are granted to the Supabase anon role without enforcing org membership or permission checks, allowing queries against arbitrary org_id values to return MAU, bandwidth, installs, and app IDs belonging to other tenants. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; a vendor-released patch exists at version 12.128.2.

Information Disclosure Oracle Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56228 MEDIUM PATCH This Month

Capgo's password policy configuration in versions before 12.128.2 can be exploited by an authenticated organization administrator to trigger an organization-wide account lockout by setting an arbitrarily large minimum password length - such as billions of characters - with no server-side upper-bound enforcement. Once the malicious policy is enabled, every organization member including other administrators is prevented from setting a compliant password, permanently blocking access to the organization and constituting an application-level denial of service. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in the insider-threat and compromised-admin-credential risk category.

Denial Of Service Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56227 MEDIUM PATCH This Month

Server-side request forgery in Capgo's webhook URL validation exposes internal infrastructure to organization admins who can direct the backend to issue HTTP requests against loopback and private addresses (localhost, 127.0.0.1). All Capgo versions prior to 12.128.2 are affected per the GitHub Security Advisory GHSA-48hc-53hv-6x3f. The vulnerability is particularly dangerous in cloud-hosted deployments where the backend server can reach instance metadata services (e.g., AWS IMDS), and error responses are disclosed directly to the triggering user, enabling iterative internal network reconnaissance. No public exploit identified at time of analysis and no CISA KEV listing, but the authenticated-admin attack path lowers the effective barrier in multi-tenant SaaS environments.

SSRF Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56218 MEDIUM PATCH This Month

Capgo before version 12.128.2 exposes user physical location by retaining EXIF GPS metadata in uploaded images without sanitization. Unauthenticated remote attackers can download images hosted on affected Capgo instances and extract embedded latitude/longitude coordinates, revealing where users were physically located at the time of photo capture. No public exploit is identified at time of analysis, and a vendor patch is available in version 12.128.2.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56325 LOW PATCH Monitor

Preview subdomain resolution in Capgo before 12.128.2 is susceptible to app-id confusion because the resolver uses PostgreSQL's ILIKE operator - which treats underscores as single-character wildcards - instead of exact equality matching for app_id lookups. An authenticated attacker who can register a Capgo application can craft an app_id with strategically placed underscores that collide with a victim application's identifier, hijacking preview subdomain resolution and breaking preview functionality for the targeted app. No public exploit code exists and no active exploitation has been confirmed (KEV absent); the CVSS 4.0 score of 2.3 reflects genuinely low real-world risk constrained by high attack complexity, required authentication, and limited availability-only impact.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-56216 HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 allows holders of app-limited API keys to mint new unrestricted keys via the POST /functions/v1/apikey endpoint by submitting empty limit fields. The flaw effectively bypasses the API key scoping model, granting org-wide access to app listings and other protected resources from any compromised low-privilege key. No public exploit identified at time of analysis, but a vendor advisory (GHSA-2ff8-7h96-hwfp) and a VulnCheck writeup confirm the issue.

Privilege Escalation Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56215 HIGH PATCH This Week

Account takeover in Capgo before 12.128.12 allows authenticated low-privileged users to hijack other users' SSO identities by abusing the SSO provisioning endpoint's reliance on a user-mutable email field as an account-merge key. By updating their own public.users.email to a target's corporate SSO address before the victim's first SSO login, an attacker causes the provision-user flow to merge the victim's federated identity into the attacker-controlled account. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-56214 HIGH PATCH This Week

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers enumerate organizations and reveal billing status by invoking the Supabase PostgREST RPC endpoints is_trial_org and is_paying_org with the publicly distributed sb_publishable key. The flaw is reachable directly over the network without credentials and produces distinguishable responses that identify paying customers, enabling targeted profiling; no public exploit identified at time of analysis.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56213 MEDIUM PATCH This Month

Cross-tenant metrics poisoning in Capgo before 12.128.2 allows unauthenticated remote attackers to insert arbitrary rows into the version_meta table for any tenant's app_id by invoking the PostgREST RPC endpoint using only the public anonymous key. The root cause is a missing authorization check inside a SECURITY DEFINER PostgreSQL function, which executes with elevated definer privileges while accepting caller-supplied app_id values without ownership validation. Although no public exploit code or CISA KEV listing exists at time of analysis, the attack requires no credentials beyond the public anon key - typically embedded in distributed client applications - making the practical barrier to exploitation extremely low despite the moderate CVSS 4.0 score of 6.9.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56212 MEDIUM PATCH This Month

Authentication logic bypass in Capgo before 12.128.2 permits a team or organization security settings manager to enforce mandatory two-factor authentication across all team members without having 2FA active on their own account. The platform never validates the initiator's own 2FA enrollment state before committing the policy change, creating an asymmetric enforcement condition where the policy creator is effectively exempt from the mandate they impose. No public exploit code has been identified and Capgo is not listed in the CISA Known Exploited Vulnerabilities catalog; the CVSS 4.0 score of 5.1 (PR:H) reflects that exploitation is constrained to already-privileged insiders.

Privilege Escalation Capgo
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-56082 HIGH PATCH This Week

Cross-tenant billing log tampering in Capgo (Cap-go/capgo) before 12.128.2 allows unauthenticated attackers holding only the public Supabase publishable anon key to insert or overwrite build_logs rows for arbitrary organizations via the SECURITY DEFINER PostgREST RPC public.record_build_time. Because the function is granted to the anon role and uses ON CONFLICT (build_id, org_id) DO UPDATE, attackers can inflate or alter another tenant's billable build time, producing financial-impact denial of service. No public exploit identified at time of analysis, though the vendor advisory (GHSA-42xj-3h9w-26h5) and a VulnCheck write-up describe the attack path in detail.

Authentication Bypass Denial Of Service Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-56081 CRITICAL PATCH Act Now

Account pre-registration hijack in Capgo before 12.128.2 lets a remote unauthenticated attacker claim an account under a victim's email address before that email is verified, then lock the legitimate owner out by enabling two-factor authentication on the squatted account. The flaw stems from a CWE-640 weak password recovery / account-binding logic issue and carries a CVSS 4.0 score of 9.3; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-56080 MEDIUM PATCH This Month

Capgo's Enforce Password Policy feature in versions before 12.128.2 permanently locks Super Admins out of their organization through a backend state management flaw, constituting a targeted denial-of-service against administrative access. When a Super Admin enables the password policy and successfully changes their password to a policy-compliant value, the backend fails to mark the account compliant, trapping the account in an infinite forced-password-reset loop and severing all organization management access. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.9 reflects the high-privilege prerequisite and pure availability impact with no confidentiality or integrity consequence.

Authentication Bypass Denial Of Service Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56079 HIGH PATCH This Week

Cross-tenant data exposure in Capgo before 12.128.2 lets an authenticated org-scoped read API key reach other tenants' PostgREST endpoints and pull HMAC webhook signing secrets plus delivery logs. Disclosed by VulnCheck with a vendor GitHub Security Advisory (GHSA-hj3h-v877-g5rx); no public exploit identified at time of analysis, and the secrets retrieved enable subsequent forgery of authentic-looking webhook events against victim organizations.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56073 CRITICAL PATCH Act Now

Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering with HTTP responses returned to the client, which the application trusts to decide whether verification succeeded. Successful exploitation enables fraudulent 2FA enrollment and account takeover, and no public exploit has been identified at time of analysis though VulnCheck has published an advisory describing the response-manipulation technique.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-53868 HIGH PATCH This Week

Denial of service in Capgo before 12.128.2 allows remote unauthenticated attackers to lock legitimate users out of the platform for 30 days by registering accounts with arbitrary unverified email addresses and immediately initiating account deletion, placing the targeted email in a pending-deletion lock state. The CVSS 4.0 score of 8.7 (High) reflects high availability impact achievable over the network without privileges or interaction; no public exploit identified at time of analysis, though the attack is trivially reproducible from the description.

Authentication Bypass Denial Of Service Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-53867 MEDIUM PATCH This Month

Orphaned profile image retention in Capgo before 12.128.2 exposes previously uploaded user images indefinitely after replacement or deletion, because the backend storage object is never purged when the application record is updated. Attackers who possess a prior image URL - obtained via browser history, referrer logs, network interception, or prior caching - can retrieve user-uploaded content even after the user intended to remove it, violating data erasure expectations. No public exploit has been identified at time of analysis, and the CVSS 4.0 vector (PR:L) indicates prior authenticated access or URL knowledge is a prerequisite, limiting opportunistic mass exploitation.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVSS 8.7
HIGH PATCH This Week

Unauthenticated organization enumeration in Capgo before 12.128.2 lets attackers abuse the Supabase PostgREST SECURITY DEFINER RPC public.rescind_invitation, which returns distinguishable NO_ORG versus NO_RIGHTS errors when invoked with only a publishable (anon) API key. This oracle lets remote unauthenticated attackers confirm which organization IDs exist, building a target list for follow-on phishing and social engineering. Reported by VulnCheck; no public exploit code and no CISA KEV listing at time of analysis.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated information disclosure in Capgo's /private/sso/check-domain endpoint exposes internal org_id and provider_id values to any network-reachable attacker. All Capgo deployments prior to version 12.128.2 are affected, with the vulnerable endpoint accessible without credentials. An attacker can systematically enumerate email domains against this endpoint to construct a detailed mapping of domains to organization UUIDs and SSO provider identifiers, enabling targeted reconnaissance against Capgo tenants - no public exploit identified at time of analysis.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Cross-organization account disruption in Capgo before 12.128.2 lets an enterprise administrator in one organization destroy the email/password login of users belonging to different organizations. By abusing the SSO prelink-users endpoint, an attacker holding the org.update_settings permission with an active SSO provider can permanently remove password identities for any user whose email matches the provider's domain, locking victims out of native authentication and forcing them onto the attacker's SSO or a password-reset recovery flow. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was reported by VulnCheck.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Account takeover in Capgo before 12.128.2 arises because the email-change endpoint performs no current-password re-authentication and no verification of the existing email address, letting an attacker who already holds a valid session cookie or an authenticated browser silently repoint the account email. By seizing the recovery address, the attacker captures password-reset flows and sidesteps multi-factor authentication, converting a hijacked session into durable full account control. There is no public exploit identified at time of analysis, but the flaw is vendor-confirmed via GitHub Security Advisory GHSA-9px4-w25f-mvm4 and reported by VulnCheck.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

SQL injection in Capgo's POST /private/admin_stats endpoint allows platform administrators to inject arbitrary SQL fragments into Cloudflare Analytics Engine queries via an unsanitized limit parameter. Affected versions are all Capgo releases before 12.128.2. An attacker holding valid platform admin credentials can exploit this to enumerate analytics dataset schemas, extract analytics data, or cause denial-of-service against the analytics backend. No public exploit has been identified at time of analysis, and the high-privilege requirement (PR:H) substantially limits realistic blast radius.

SQLi Capgo
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Scope isolation failure in Capgo's POST /webhooks/test endpoint allows authenticated app-scoped API keys to invoke org-scoped webhook operations, bypassing the intended limited_to_apps authorization boundary. All Capgo instances prior to version 12.128.2 are affected, enabling credential holders with narrow, app-level access to trigger signed outbound webhook deliveries targeting arbitrary organization webhooks they should not control. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the CVSS 4.0 vector (PR:L, AV:N) confirms low-privilege network exploitation is straightforward once credentials are in hand.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 lets demoted super_admin users retain organization-wide bundle management rights because the org_users.user_right column is not cleared when their role binding is deleted. A user who once held super_admin can continue invoking the delete_non_compliant_bundles and count_non_compliant_bundles RPCs to enumerate and bulk-delete non-compliant bundles across the entire organization indefinitely, well after their privileges were supposedly revoked. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Privilege Escalation Capgo
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated information disclosure in Capgo before 12.128.2 exposes confidential business metrics through the Supabase PostgREST /rest/v1/global_stats endpoint, which lacks row-level security enforcement. Any remote party holding only the public (anon) Supabase apikey - a value embedded in Capgo client apps and therefore trivially obtainable - can read MRR, total and plan-tier revenue, customer counts, and operational telemetry. Reported by VulnCheck via a GitHub security advisory; no public exploit code or active exploitation has been identified at time of analysis, though the CVSS 4.0 score of 8.7 reflects high confidentiality impact with no barriers to access.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated API key metadata disclosure in Capgo before 12.128.2 stems from the find_apikey_by_value PostgreSQL function being marked SECURITY DEFINER and granted to the anon role, allowing anyone to call it through the PostgREST endpoint /rest/v1/rpc/find_apikey_by_value. When supplied a valid key value, an attacker retrieves sensitive metadata about that key - user_id, mode, organization scoping, and expiration details - bypassing normal row-level security. Reported by VulnCheck with CVSS 4.0 8.7 (High); no public exploit identified at time of analysis and it is not listed in CISA KEV.

PostgreSQL Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Information disclosure in Capgo (Cap-go) before 12.128.2 allows unauthenticated network attackers to enumerate valid app IDs by observing differential error responses from the public.transfer_app RPC endpoint, requiring only a publishable API key. The root cause is a CWE-203 observable discrepancy: the endpoint returns distinguishable error messages depending on whether a supplied app ID exists or not, functioning as an existence oracle. No active exploitation is confirmed (not in CISA KEV), but the low barrier to exploitation - network-accessible, no authentication beyond a publishable key - makes this a practical reconnaissance primitive against Capgo-hosted applications.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Billing authorization bypass in Capgo (prior to 12.128.12) enables authenticated organizations with exhausted or expired usage credit grants to continue consuming paid API endpoints without valid entitlement. The divergence between the plugin's hot-path plan_valid expression and the authoritative billing gate creates a logic gap exploitable by any organization that reaches credit depletion, granting continued access to /updates, /stats, /channel_self, and attachment upload endpoints. No public exploit or CISA KEV listing exists at time of analysis, but the low attack complexity and network accessibility make this straightforward for any affected account holder to abuse.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Improper access control in Capgo before 12.128.2 lets holders of write-scoped API keys directly mutate protected channel configuration fields (such as public, allow_emulator, and security-related flags) through the PostgREST data layer, bypassing intended application route restrictions. The flaw stems from a null authentication check in the database immutability trigger, allowing a low-privileged but authenticated actor to alter integrity-sensitive delivery settings for a Capacitor live-update backend. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Preview namespace collision in Capgo before 12.128.2 enables authenticated low-privileged tenants to hijack or deny preview routing for other tenants' applications by deliberately registering app IDs containing double underscores that decode identically to a victim's dot-separated app ID. The non-bijective hostname parsing - where `__` maps to `.` but `.` is also a valid app ID character - breaks namespace uniqueness across tenants, allowing cross-tenant preview misrouting. No public exploit has been identified at time of analysis, and no CISA KEV listing exists; real-world impact is confined to preview functionality, not production app delivery.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Capgo's accept_invitation endpoint creates user accounts before captcha validation is enforced, allowing unauthenticated remote attackers to bypass captcha entirely by submitting POST requests with invalid captcha tokens. This logic-ordering flaw enables automated account creation and exhaustion of invite links against any Capgo instance running versions prior to 12.128.2. No public exploit has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Plan quota enforcement is missing on the /files/upload/attachments endpoint in Capgo before 12.128.2, allowing upload-scoped API keys to bypass plan restrictions and create publicly readable Cloudflare R2 objects regardless of account standing. Apps that have been plan-blocked or suspended retain the ability to upload arbitrary attachments that persist outside bundle metadata and survive app deletion, enabling sustained storage and bandwidth abuse against the Capgo platform. No public exploit has been identified at time of analysis, and the vulnerability has not been confirmed as actively exploited.

Denial Of Service Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (CWE-620), letting an attacker who holds any temporary or low-privilege session set a new password without proving they know the old one. Because the CVSS 4.0 vector reflects a low-privilege (PR:L) network attacker with high confidentiality and integrity impact, a hijacked or briefly-borrowed session can be converted into permanent control, locking legitimate users out. No public exploit identified at time of analysis and the flaw is not on CISA KEV, so risk is credible but not confirmed as actively exploited.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Information disclosure in Capgo before 12.128.2 lets unauthenticated remote attackers call the get_orgs_v7(userid) RPC endpoint with arbitrary user UUIDs to read foreign users' organization memberships, roles, management emails, and billing metadata. The endpoint remained publicly invokable despite intended private access controls, so any internet-facing Capgo deployment on an affected version exposes tenant data cross-account. No public exploit has been identified at time of analysis, though the trivial invocation pattern (supply a UUID) makes weaponization straightforward.

Authentication Bypass Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Missing UPDATE row-level security (RLS) policy on Capgo's build_requests table permits low-privileged API-key holders to perform unauthorized status updates against build pipeline records, corrupting build state by leaving rows permanently stuck in a pending state with null last_error values. Capgo versions before 12.128.2 on all platforms are affected. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, exploitation requires only low-privilege network access with no additional complexity, making it a straightforward post-authentication integrity issue.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Server-side validation bypass in Capgo before 12.128.2 allows authenticated organization administrators to write invalid values directly to the public.orgs database table from the browser, circumventing field-level security policy enforcement for parameters such as max_apikey_expiration_days. The root cause is insufficient server-side enforcement in a Supabase-backed architecture where authenticated clients can interact directly with underlying tables without adequate RLS or server-side validation gates. No public exploit has been identified and the vulnerability is not listed in CISA KEV, though the low-complexity attack path makes it trivially executable by any org admin.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Improper error handling in Capgo's /private/accept_invitation endpoint before version 12.128.2 allows unauthenticated network attackers to trigger HTTP 500 Internal Server Error responses by submitting malformed magic_invite_string values, leaking internal processing details in violation of CWE-209. Exploitation requires no privileges or user interaction - only the publicly accessible endpoint and knowledge of its path - making any internet-exposed Capgo instance susceptible to targeted reconnaissance. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the risk is constrained to information disclosure that could support a broader attack chain.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Release-routing integrity failure in Capgo before 12.128.2 lets an authorized app or channel manager covertly steer which update bundle unnamed clients receive. Because the platform permits multiple public channels per app/platform to coexist and silently resolves channel-less /updates requests to a single hidden 'winner' channel, a low-privileged insider can manipulate default update state and serve a chosen bundle to clients that did not specify a channel. There is no public exploit identified at time of analysis, and the issue is not in CISA KEV.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated organization enumeration in Capgo before 12.128.2 exposes tenant existence through differential error responses in the public.invite_user_to_org SECURITY DEFINER RPC function. Any caller holding a publishable API key - a client-side credential intentionally distributed in mobile apps - can probe arbitrary organization IDs and distinguish NO_ORG from NO_RIGHTS responses, confirming or denying tenant existence at scale. No active exploitation is confirmed (not in CISA KEV) and no public POC has been identified, but the attack barrier is exceptionally low given the freely obtainable key material and the network-accessible default posture.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Broken authorization in Capgo before 12.128.2 lets an authenticated attacker forge device records against any application by supplying an arbitrary org_id to POST /private/create_device, which the backend trusts without checking it matches the target app's owning organization. The CVSS 4.0 score of 7.1 reflects high integrity impact with low privileges required and no user interaction; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Organization UUID enumeration in Capgo before 12.128.2 allows unauthenticated remote attackers to confirm the existence of valid organization identifiers by exploiting differential error responses from the /private/validate_password_compliance endpoint. The endpoint returns distinct HTTP status codes and error message bodies depending on whether a submitted organization ID is malformed, non-existent, or valid - functioning as an unauthenticated oracle. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, though automated scripted enumeration is trivially feasible given the low attack complexity (CVSS 4.0 base score 6.9, AV:N/AC:L/PR:N).

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse two SECURITY DEFINER RPC functions, get_user_id and get_org_perm_for_apikey, reachable with only the public/anon API key. Attackers can confirm whether a leaked API key is valid, resolve user UUIDs, and read the permission level tied to a key, turning otherwise-uncertain credential leaks into actionable, scoped targets. CVSS 4.0 is 8.7 (High); there is no public exploit identified at time of analysis and it is not in CISA KEV.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Account takeover-style destruction in Capgo before 12.128.2 lets remote attackers delete arbitrary user accounts because the deletion endpoint enforces no password re-authentication or secondary verification (CWE-306, Missing Authentication for a Critical Function). Reported by VulnCheck, the flaw is exploitable through CSRF, session hijacking, or parameter tampering, causing irreversible account removal, data loss, and denial-of-service. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass CSRF Capgo
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege-bound authorization bypass in Capgo before 12.128.2 lets any authenticated user holding the app.create_channel permission overwrite existing channels by reusing their names, hijacking ownership and rewriting production channel configurations. The flaw stems from a logic mismatch between the existence-validation check and the upsert operation in the channel-creation endpoint, enabling tampering with live release channels. No public exploit identified at time of analysis; reported by VulnCheck with a vendor security advisory available.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 lets an authenticated org admin assign org-scoped RBAC roles at the narrower app scope without any validation of scope compatibility, and to do so even for pending (not-yet-accepted) invitees. Because these malformed high-privilege bindings persist through invite acceptance, a nominally low-privilege user who accepts the invite gains unauthorized privileged app-level actions. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a path-traversal flaw in the builder upload proxy to reach internal administrative endpoints. By appending traversal sequences to the upload path - which the WHATWG URL parser normalizes - an attacker pivots requests carrying the privileged BUILDER_API_KEY header, turning limited build access into SSRF and elevated server-side privileges. Reported by VulnCheck with a CVSS 4.0 score of 8.7; no public exploit identified at time of analysis.

Privilege Escalation Path Traversal Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited API key by supplying its identifier in the client-controlled x-limited-key-id header, which middlewareKey() trusts without checking ownership. Any low-privilege account can therefore read and act on resources belonging to other tenants across multiple API endpoints. No public exploit identified at time of analysis, though the flaw is trivially reproducible once the key-ID format is known.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Session fixation in the Capgo cloud console login endpoint (console.capgo.app/login) allows unauthenticated remote attackers to force victims into attacker-controlled sessions by crafting malicious URLs containing attacker-owned tokens. Versions before 12.128.2 silently accept access_token and refresh_token as URL query parameters and authenticate the user without confirmation, bypassing normal login flows. Tokens passed via URL are additionally exposed in browser history, server access logs, and HTTP Referer headers, creating secondary information-disclosure risk. No public exploit code and no CISA KEV listing exist at time of analysis.

Session Fixation Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindings and member email addresses through the public.get_org_user_access_rbac PostgREST RPC endpoint. An improper NULL comparison in the authorization gate fails open, so anyone holding only a public API key can enumerate org membership, assigned roles, and emails. No public exploit has been identified at time of analysis, and the flaw discloses data only (no integrity or availability impact), but the CVSS 4.0 score of 8.7 reflects easy, unauthenticated, network-reachable confidentiality loss.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Denial of service in Capgo's /auth/v1/otp endpoint blocks email-based 2FA enrollment for authenticated users in all versions before 12.128.2. The backend captcha validation subsystem fails to handle exceptions gracefully, consistently returning HTTP 500 errors and preventing users from completing two-factor authentication setup. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the impact is security-control degradation: users cannot activate 2FA, leaving accounts with only single-factor protection.

Denial Of Service Capgo
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated app enumeration in Capgo before 12.128.2 allows remote attackers to determine whether specific app_ids exist across all tenants by querying the exposed exist_app_v2 RPC endpoint without credentials. The root cause is a PostgreSQL SECURITY DEFINER function that executes with elevated owner privileges, bypassing row-level security policies and enabling cross-tenant information disclosure via the PostgREST API at POST /rest/v1/rpc/exist_app_v2. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code is identified at time of analysis, though the attack requires no authentication and trivial HTTP tooling.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Authorization bypass in Capgo (cap-go before 12.128.2) allows holders of org-limited API keys to read membership data from organizations outside their assigned scope by calling the GET /organization/members endpoint without proper enforcement of limited_to_orgs restrictions. Exposed fields include uid, email, image_url, role, and is_tmp - sufficient to enumerate organization membership and email addresses across tenants. No public exploit identified at time of analysis; CVSS 4.0 scores this at 5.3 reflecting a low-privilege, network-accessible attack with limited confidentiality impact.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated remote attackers can read, insert, and delete stored app icons in Capgo (all versions before 12.128.2) due to a Supabase images bucket entirely lacking row-level security (RLS) controls. Exploitation leaks sensitive app IDs and user IDs embedded in bucket metadata, and enables full icon deletion causing visual degradation of hosted applications. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in version 12.128.2.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authorization bypass in Capgo before 12.128.2 allows authenticated users to directly modify the public.apps.owner_org column via PostgREST, circumventing the intended transfer_app() workflow. Successful exploitation creates a split-brain ownership state where apps.owner_org and app_versions.owner_org diverge, letting the original organization's API keys retain access to version data while the new owning organization controls the app record. No public exploit identified at time of analysis.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Two-factor authentication bypass in Capgo before 12.128.2 allows an authenticated admin who has not completed 2FA enrollment to perform privileged organization management actions by replaying or modifying captured API requests. The flaw stems from 2FA being enforced exclusively in the frontend UI while the backend ORG management endpoints accept requests without verifying 2FA completion. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing and quota records by invoking the SECURITY DEFINER record_build_time RPC with only a public anon API key. The flaw stems from missing authorization inside a privilege-elevated PostgREST function, enabling arbitrary build-time inserts against any organization. No public exploit identified at time of analysis, but the trivial network-reachable invocation pattern makes weaponization straightforward.

Privilege Escalation Denial Of Service Capgo
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Webhook signing secret disclosure in Capgo prior to 12.128.2 allows authenticated holders of non-admin API keys to read the webhook signing secret directly from the Supabase REST-exposed webhooks table because row-level security policies are too permissive. Once obtained, the secret lets the attacker forge valid X-Capgo-Signature headers and submit spoofed webhook events to any configured receiver, undermining webhook authenticity and integrity. No public exploit identified at time of analysis.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tampering with a client-side parameter in the key generation request, because the backend never validates that keys are server-generated or bound to the authenticated user. The forged keys grant access to protected endpoints, yielding full confidentiality and integrity compromise of tenant data. No public exploit identified at time of analysis, but the flaw is trivially reproducible from any HTTP client.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authorization bypass in Capgo before 12.128.2 allows authenticated users with valid subkeys to escape scope restrictions by supplying their own subkey identifier in the x-limited-key-id header, causing middlewareKey to fall back to the unrestricted parent key. With CVSS 4.0 of 8.7 and high impact across confidentiality, integrity, and availability, exploitation only requires low-privileged API access, though no public exploit identified at time of analysis.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Cross-tenant build sabotage in Capgo before 12.128.2 allows authenticated users with the app.build_native permission to start or cancel arbitrary builder jobs belonging to other tenants by supplying a victim jobId to the /build/start/:jobId and /build/cancel/:jobId endpoints. The handlers trust the attacker-supplied app_id in the request body and never verify jobId ownership, enabling denial of service, unauthorized compute consumption, and billing impact across tenants. No public exploit identified at time of analysis.

Authentication Bypass Denial Of Service Capgo
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a malicious IdP to forge SAML assertions and merge arbitrary victim accounts based solely on email match. The provision-user endpoint fails to validate that the asserting SSO provider is authorized for the victim's email domain, granting full takeover of accounts, organizations, and data. No public exploit identified at time of analysis; CVSS 4.0 base is 9.3 (Critical) reflecting high impact across both vulnerable and subsequent systems.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Information disclosure in Capgo before 12.128.2 allows unauthenticated remote attackers to enumerate private update channels via the /updates endpoint, because the defaultChannel parameter is resolved before privacy restrictions are enforced. Response differences let attackers distinguish valid private channels from nonexistent ones and harvest assigned bundle versions plus platform-specific configuration state. No public exploit identified at time of analysis, though VulnCheck has published an advisory describing the technique.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated denial of service in Cap-go capgo (capgo-backend) before 12.128.12 allows remote attackers to exhaust PostgreSQL resources by sending unfiltered queries to the public.audit_logs PostgREST endpoint using the public anon key. Because the query planner runs expensive logic before Row-Level Security rejection, repeated requests trigger statement timeouts (error 57014) and cascade into HTTP 500 failures on unrelated endpoints such as /orgs. No public exploit identified at time of analysis, though the technique is fully described in the GHSA advisory.

Denial Of Service PostgreSQL Capgo
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authentication bypass in Capgo before 12.128.2 allows authenticated attackers to defeat the org-level hashed-API-key control by submitting plaintext API keys via the capgkey header directly to the PostgREST/RLS plane. Despite the enforce_hashed_api_keys setting being toggled on, the data plane fails to honor that policy, granting access to protected resources. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated access to Capgo's credential validation endpoint before version 12.128.2 enables large-scale password spraying and credential stuffing attacks against user accounts. The `POST /functions/v1/private/validate_password_compliance` Supabase Edge Function accepts requests using only the publicly distributed anon key - a client-side secret embedded in shipped app binaries - with no rate limiting or lockout enforcement. Combined with wildcard CORS headers, any browser-side or scripted attacker can systematically validate username/password pairs at scale, ultimately compromising Capgo accounts and potentially tampering with mobile app live update pipelines. No public exploit code has been identified at time of analysis, but the attack is trivially automatable given the absence of access controls.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authorization bypass in Capgo before 12.128.2 lets authenticated holders of an app-scoped public API key enumerate, modify, or delete other API keys on the same account that belong to different applications. The flaw stems from missing limited_to_apps enforcement in the get/put/delete/post key-management handlers, which only validate the limited_to_orgs scope. No public exploit identified at time of analysis, though the issue is disclosed via a GitHub Security Advisory and VulnCheck.

Privilege Escalation Capgo
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Cross-tenant authorization bypass in Capgo before 12.128.2 allows organization administrators to attach role bindings to applications owned by other organizations via the POST /private/role_bindings endpoint, which validates org membership but not app_id ownership. Successful exploitation grants unauthorized read and modification access to victim applications across tenant boundaries. No public exploit identified at time of analysis, but a vendor advisory (GHSA-5r52-m8r9-7f8x) and VulnCheck disclosure confirm the issue.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpoint by rotating the client-supplied device_id parameter, defeating per-device throttling. Sustained abuse writes unbounded rows into the channel_devices table, exhausting database resources and degrading or denying service to legitimate users. No public exploit identified at time of analysis, but the attack is trivial to script given CVSS 4.0 AV:N/AC:L/PR:N/UI:N.

Denial Of Service Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_self endpoint with arbitrary app_id values to enumerate private rollout channels, confirm the existence of tenant applications, and extract subscription/billing status. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects trivial network-level abuse against default deployments. The flaw enables cross-tenant reconnaissance that can seed further targeted attacks against high-value Capgo users.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Capgo's Supabase edge function backend (versions before 12.128.2) inconsistently applies global authentication middleware across HTTP methods on the /private/role_bindings/:org_id endpoint - GET requests reach the handler unauthenticated while POST and DELETE are gated by middleware. The handler currently performs its own authorization check and rejects unauthenticated callers, so no data is exposed in the current implementation. This is a CWE-306 defense-in-depth failure: the middleware gap creates latent risk that any future relaxation of handler-level logic could silently permit unauthenticated access to organization role binding data, with no public exploit identified at time of analysis.

Authentication Bypass Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Logic flaw in Capgo before 12.128.12 lets authenticated attackers continue serving soft-deleted application bundles to end-user devices because the /updates endpoint omits an app_versions.deleted filter when joining channels. Affected operators of the Capgo live-update service (a CodePush-style OTA platform for Capacitor mobile apps) can have purged bundles re-selected and pushed downstream, undermining rollback and removal workflows. No public exploit identified at time of analysis and the issue is not present in CISA KEV.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated cross-tenant information disclosure in Capgo before 12.128.2 exposes billing plan metadata for arbitrary organizations via an improperly authorized Supabase RPC function. Any network-accessible attacker possessing only the public Supabase anon key can call the `public.get_current_plan_max_org` endpoint with any organization UUID to retrieve MAU limits, bandwidth, storage, and build time plan data belonging to unrelated tenants. No active exploitation is confirmed by CISA KEV, and no public exploit code has been identified at time of analysis.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Subkey permission bypass in Capgo before 12.128.2 allows authenticated API users to escalate from restricted subkey scope to full main API key privileges by sending malformed x-limited-key-id header values. The parsing flaw - triggered by submitting zero, NaN-coercible, or duplicate header values - causes the subkey scoping enforcement to evaluate to falsy, silently falling through to the unrestricted main API key context. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, but the bypass is mechanically straightforward for any holder of a valid subkey credential.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Privilege inversion in Cap-go (Capgo) before 12.128.2 lets holders of read-only API keys cancel running native builds by abusing the GET /build/logs/:jobId SSE endpoint. On client disconnect the server invokes cancelBuildOnDisconnect() using the privileged BUILDER_API_KEY, bypassing the app.build_native permission enforced on POST /build/cancel/:jobId. No public exploit identified at time of analysis, but the issue is trivially reproducible against any deployment exposing the log stream.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unenforced resource limits on the POST /app/demo endpoint in Capgo before 12.128.2 allow any authenticated user holding org write permissions to create unlimited demo applications, each triggering approximately 138 database write operations. Sustained abuse degrades platform performance, inflates infrastructure costs, and can cause service instability for all tenants sharing the backend. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low exploitation complexity for any org-level member makes compromised-account or insider-threat scenarios operationally realistic.

Denial Of Service Capgo
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in Capgo (cap-go) before 12.128.2 allows authenticated users with read-level API keys to access analytics data belonging to other tenants by injecting arbitrary SQL through multiple unparameterized parameters in cloudflare.ts. The flaw stems from direct string interpolation of request-body values into Cloudflare Analytics Engine queries, enabling cross-tenant data exposure. No public exploit identified at time of analysis, though a VulnCheck advisory and an upstream GitHub Security Advisory document the issue.

SQLi Capgo
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated job ID enumeration in Cap-go (Capgo) before version 12.128.2 exposes internal builder job identifiers via observable response discrepancies on the OPTIONS /build/upload/:jobId/* endpoint. Any network-accessible attacker can probe this endpoint without credentials to distinguish valid job IDs from invalid ones, effectively building a map of active build jobs. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the zero-barrier exploitation (no auth, no interaction) and dual impact of information disclosure and incidental resource consumption make it a meaningful exposure for organizations running self-hosted Capgo instances.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Authentication bypass in Capgo's /build/upload/:jobId/* endpoint exposes all versions before 12.128.2 to unauthenticated denial of service. Remote attackers exploit HTTP OPTIONS request handling to sidestep authentication middleware entirely, forcing tusProxy to execute with invalid credentials and reliably producing HTTP 500 errors at scale. No public exploit code or CISA KEV listing exists at time of analysis, but the trivial attack mechanics - requiring no credentials, tools, or interaction - mean any internet-exposed Capgo instance is at risk of request flooding.

Authentication Bypass Denial Of Service Capgo
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated organization member enumeration in Capgo before 12.128.2 allows remote attackers to harvest email addresses, user IDs, roles, and pending invitations by invoking the public.get_org_members RPC with only a publishable Supabase key and a target organization UUID. The flaw, reported by VulnCheck and tracked as EUVD-2026-38169, carries a CVSS 4.0 score of 8.7 and reflects a broken access control check on a public Postgres RPC. No public exploit identified at time of analysis, but the trivial invocation makes mass scraping straightforward once an org UUID is known.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 allows authenticated users holding the admin role to elevate themselves to super_admin by abusing a broken row-level security (RLS) policy on the org_users table. No public exploit identified at time of analysis, but a vendor patch is available and the flaw was disclosed by VulnCheck through a GitHub Security Advisory.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Information disclosure in Capgo before 12.128.2 lets remote unauthenticated attackers abuse the security-definer RPC function get_identity_apikey_only to validate arbitrary API keys and map them to owning user_ids. The endpoint functions as an oracle, and results can be chained into other exposed RPCs such as get_orgs_v6 to enumerate organization membership and harvest management email PII. No public exploit identified at time of analysis, though VulnCheck has publicly documented the technique and a vendor patch is available.

Information Disclosure Oracle Capgo
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 allows authenticated Supabase users to manipulate billing data for arbitrary organizations by invoking the public.apply_usage_overage SECURITY DEFINER function via RPC. The function executes with owner privileges and skips auth.uid(), org membership, and check_min_rights validation, bypassing Row Level Security and enabling fraudulent overage insertion or credit depletion across tenants. No public exploit identified at time of analysis, but vendor and VulnCheck have published advisories and a patched release.

Privilege Escalation Capgo
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated API clients read build status and logs belonging to other applications by combining an authorized app_id with a job_id from a different, unauthorized app. The /build/status and /build/logs endpoints validate the app_id but fail to verify that the supplied job_id actually belongs to that application, exposing logs, metadata, and potentially embedded credentials across tenant boundaries. No public exploit identified at time of analysis, though VulnCheck has published an advisory with technical details.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Open redirect in Capgo's confirm-signup endpoint (all versions before 12.128.2) enables unauthenticated remote attackers to craft account confirmation links that silently redirect victims to arbitrary attacker-controlled websites. The unvalidated `confirmation_url` parameter in the confirm-signup flow accepts any external URL without domain allowlisting or sanitization, making legitimate Capgo-sending domains a trusted launchpad for phishing and credential harvesting. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the social engineering amplification risk is significant given the trusted-email-domain context.

Open Redirect Capgo
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Open redirect in Capgo's Stripe billing endpoints (stripe_portal and stripe_checkout) allows authenticated attackers to manipulate the callbackUrl, successUrl, and cancelUrl parameters to silently redirect users to attacker-controlled phishing domains after billing interactions. All Capgo releases before 12.128.2 are affected per vendor advisory GHSA-grc7-98pf-h8hq. Exploitation requires a valid Capgo account (CVSS PR:L) and victim interaction (UI:A), and no public exploit or CISA KEV listing exists at time of analysis; however, the Stripe payment context lends phishing lures unusual credibility, elevating realistic social-engineering risk above what the medium CVSS score alone implies.

Open Redirect Capgo
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Tenant isolation is broken in Capgo's statistics API before version 12.128.2, allowing authenticated holders of app-limited API keys to enumerate app IDs belonging to other tenants across the platform. The GET /statistics/app/:app_id endpoint returns distinct error codes depending on whether a target app exists (500 PGRST116) or is entirely nonexistent (401), creating an oracle that maps real app IDs outside the caller's authorized scope. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 5.3 reflects the authenticated requirement and limited confidentiality impact.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Broken cursor pagination in Capgo's /private/devices endpoint on the Cloudflare/workerd runtime path allows authenticated attackers with app.read_devices permission to trigger infinite duplicate-page loops, making later dataset rows permanently unreachable for affected sessions. All Capgo versions before 12.128.12 are vulnerable, and the impact is operational: device-management workflows repeatedly process the same duplicate records while failing to advance through the full dataset. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 5.3 (Medium) reflects limited, availability-only impact scoped to the vulnerable system.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Webhook management endpoints in Capgo before 12.128.2 expose an authorization policy bypass that allows holders of non-expiring API keys to circumvent the organization-level require_apikey_expiration policy. The checkWebhookPermission function omits the required call to apikeyHasOrgRightWithPolicy, leaving webhook operations - listing, creating, and deleting - accessible to legacy non-expiring keys even when the organization has explicitly mandated key expiration. No public exploit has been identified at time of analysis, and exploitation requires prior possession of a valid non-expiring API key, targeting organizations that believed their key-expiration policy was uniformly enforced.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated access to Capgo's /replication HTTP endpoint exposes internal PostgreSQL replication telemetry to any remote attacker, affecting all versions prior to 12.128.2. Attackers can retrieve replication slot names, WAL LSN positions (confirmed_flush_lsn, restart_lsn), and database error messages without supplying any credentials, enabling database infrastructure reconnaissance. No public exploit code or CISA KEV listing exists at time of analysis, but the zero-complexity unauthenticated attack vector makes opportunistic scanning against internet-exposed Capgo deployments trivially feasible.

Information Disclosure PostgreSQL Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Cross-tenant information disclosure in Capgo (cap-go/capgo) before version 12.128.2 exposes per-organization usage telemetry to any caller holding the publicly distributed Supabase API key. Three PostgREST RPC functions - get_app_metrics, get_global_metrics, and get_total_metrics - are granted to the Supabase anon role without enforcing org membership or permission checks, allowing queries against arbitrary org_id values to return MAU, bandwidth, installs, and app IDs belonging to other tenants. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; a vendor-released patch exists at version 12.128.2.

Information Disclosure Oracle Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Capgo's password policy configuration in versions before 12.128.2 can be exploited by an authenticated organization administrator to trigger an organization-wide account lockout by setting an arbitrarily large minimum password length - such as billions of characters - with no server-side upper-bound enforcement. Once the malicious policy is enabled, every organization member including other administrators is prevented from setting a compliant password, permanently blocking access to the organization and constituting an application-level denial of service. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in the insider-threat and compromised-admin-credential risk category.

Denial Of Service Capgo
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Server-side request forgery in Capgo's webhook URL validation exposes internal infrastructure to organization admins who can direct the backend to issue HTTP requests against loopback and private addresses (localhost, 127.0.0.1). All Capgo versions prior to 12.128.2 are affected per the GitHub Security Advisory GHSA-48hc-53hv-6x3f. The vulnerability is particularly dangerous in cloud-hosted deployments where the backend server can reach instance metadata services (e.g., AWS IMDS), and error responses are disclosed directly to the triggering user, enabling iterative internal network reconnaissance. No public exploit identified at time of analysis and no CISA KEV listing, but the authenticated-admin attack path lowers the effective barrier in multi-tenant SaaS environments.

SSRF Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Capgo before version 12.128.2 exposes user physical location by retaining EXIF GPS metadata in uploaded images without sanitization. Unauthenticated remote attackers can download images hosted on affected Capgo instances and extract embedded latitude/longitude coordinates, revealing where users were physically located at the time of photo capture. No public exploit is identified at time of analysis, and a vendor patch is available in version 12.128.2.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Preview subdomain resolution in Capgo before 12.128.2 is susceptible to app-id confusion because the resolver uses PostgreSQL's ILIKE operator - which treats underscores as single-character wildcards - instead of exact equality matching for app_id lookups. An authenticated attacker who can register a Capgo application can craft an app_id with strategically placed underscores that collide with a victim application's identifier, hijacking preview subdomain resolution and breaking preview functionality for the targeted app. No public exploit code exists and no active exploitation has been confirmed (KEV absent); the CVSS 4.0 score of 2.3 reflects genuinely low real-world risk constrained by high attack complexity, required authentication, and limited availability-only impact.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 allows holders of app-limited API keys to mint new unrestricted keys via the POST /functions/v1/apikey endpoint by submitting empty limit fields. The flaw effectively bypasses the API key scoping model, granting org-wide access to app listings and other protected resources from any compromised low-privilege key. No public exploit identified at time of analysis, but a vendor advisory (GHSA-2ff8-7h96-hwfp) and a VulnCheck writeup confirm the issue.

Privilege Escalation Capgo
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Account takeover in Capgo before 12.128.12 allows authenticated low-privileged users to hijack other users' SSO identities by abusing the SSO provisioning endpoint's reliance on a user-mutable email field as an account-merge key. By updating their own public.users.email to a target's corporate SSO address before the victim's first SSO login, an attacker causes the provision-user flow to merge the victim's federated identity into the attacker-controlled account. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers enumerate organizations and reveal billing status by invoking the Supabase PostgREST RPC endpoints is_trial_org and is_paying_org with the publicly distributed sb_publishable key. The flaw is reachable directly over the network without credentials and produces distinguishable responses that identify paying customers, enabling targeted profiling; no public exploit identified at time of analysis.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Cross-tenant metrics poisoning in Capgo before 12.128.2 allows unauthenticated remote attackers to insert arbitrary rows into the version_meta table for any tenant's app_id by invoking the PostgREST RPC endpoint using only the public anonymous key. The root cause is a missing authorization check inside a SECURITY DEFINER PostgreSQL function, which executes with elevated definer privileges while accepting caller-supplied app_id values without ownership validation. Although no public exploit code or CISA KEV listing exists at time of analysis, the attack requires no credentials beyond the public anon key - typically embedded in distributed client applications - making the practical barrier to exploitation extremely low despite the moderate CVSS 4.0 score of 6.9.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Authentication logic bypass in Capgo before 12.128.2 permits a team or organization security settings manager to enforce mandatory two-factor authentication across all team members without having 2FA active on their own account. The platform never validates the initiator's own 2FA enrollment state before committing the policy change, creating an asymmetric enforcement condition where the policy creator is effectively exempt from the mandate they impose. No public exploit code has been identified and Capgo is not listed in the CISA Known Exploited Vulnerabilities catalog; the CVSS 4.0 score of 5.1 (PR:H) reflects that exploitation is constrained to already-privileged insiders.

Privilege Escalation Capgo
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Cross-tenant billing log tampering in Capgo (Cap-go/capgo) before 12.128.2 allows unauthenticated attackers holding only the public Supabase publishable anon key to insert or overwrite build_logs rows for arbitrary organizations via the SECURITY DEFINER PostgREST RPC public.record_build_time. Because the function is granted to the anon role and uses ON CONFLICT (build_id, org_id) DO UPDATE, attackers can inflate or alter another tenant's billable build time, producing financial-impact denial of service. No public exploit identified at time of analysis, though the vendor advisory (GHSA-42xj-3h9w-26h5) and a VulnCheck write-up describe the attack path in detail.

Authentication Bypass Denial Of Service Capgo
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Account pre-registration hijack in Capgo before 12.128.2 lets a remote unauthenticated attacker claim an account under a victim's email address before that email is verified, then lock the legitimate owner out by enabling two-factor authentication on the squatted account. The flaw stems from a CWE-640 weak password recovery / account-binding logic issue and carries a CVSS 4.0 score of 9.3; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Capgo's Enforce Password Policy feature in versions before 12.128.2 permanently locks Super Admins out of their organization through a backend state management flaw, constituting a targeted denial-of-service against administrative access. When a Super Admin enables the password policy and successfully changes their password to a policy-compliant value, the backend fails to mark the account compliant, trapping the account in an infinite forced-password-reset loop and severing all organization management access. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.9 reflects the high-privilege prerequisite and pure availability impact with no confidentiality or integrity consequence.

Authentication Bypass Denial Of Service Capgo
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-tenant data exposure in Capgo before 12.128.2 lets an authenticated org-scoped read API key reach other tenants' PostgREST endpoints and pull HMAC webhook signing secrets plus delivery logs. Disclosed by VulnCheck with a vendor GitHub Security Advisory (GHSA-hj3h-v877-g5rx); no public exploit identified at time of analysis, and the secrets retrieved enable subsequent forgery of authentic-looking webhook events against victim organizations.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering with HTTP responses returned to the client, which the application trusts to decide whether verification succeeded. Successful exploitation enables fraudulent 2FA enrollment and account takeover, and no public exploit has been identified at time of analysis though VulnCheck has published an advisory describing the response-manipulation technique.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in Capgo before 12.128.2 allows remote unauthenticated attackers to lock legitimate users out of the platform for 30 days by registering accounts with arbitrary unverified email addresses and immediately initiating account deletion, placing the targeted email in a pending-deletion lock state. The CVSS 4.0 score of 8.7 (High) reflects high availability impact achievable over the network without privileges or interaction; no public exploit identified at time of analysis, though the attack is trivially reproducible from the description.

Authentication Bypass Denial Of Service Capgo
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Orphaned profile image retention in Capgo before 12.128.2 exposes previously uploaded user images indefinitely after replacement or deletion, because the backend storage object is never purged when the application record is updated. Attackers who possess a prior image URL - obtained via browser history, referrer logs, network interception, or prior caching - can retrieve user-uploaded content even after the user intended to remove it, violating data erasure expectations. No public exploit has been identified at time of analysis, and the CVSS 4.0 vector (PR:L) indicates prior authenticated access or URL knowledge is a prerequisite, limiting opportunistic mass exploitation.

Authentication Bypass Capgo
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy