Capgo (Cap-go/capgo) before 12.128.2 exposes the Supabase PostgREST RPC function public.getorgsv6(userid uuid), which is SECURITY DEFINER and granted to the anon role, allowing unauthenticated access. Because the function accepts a caller-supplied user UUID without verifying it matches the authenticated user, an attacker using only the public publishable API key can query POST /rest/v1/rpc/getorgsv6 with an arbitrary user UUID to retrieve that user's organization membership, roles, subscription/trial metadata, and management_email (PII).
{
"cwe_ids": [
"CWE-200"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56226.json",
"cna_assigner": "VulnCheck"
}