CVE-2026-56235
Severity CVSS v4.0:
MEDIUM
Type:
CWE-200
Information Leak / Disclosure
Publication date:
20/06/2026
Last modified:
24/06/2026
Description
Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public Supabase API key (sb_publishable_*) can query arbitrary org_id values to disclose cross-tenant usage telemetry (MAU, bandwidth, installs, gets), enumerate app IDs for a target org, and determine org existence via an oracle (valid org returns metrics, invalid returns []).
Impact
Base Score 4.0
6.90
Severity 4.0
MEDIUM
Base Score 3.x
5.30
Severity 3.x
MEDIUM



