CVE-2026-56235

Source
https://cve.org/CVERecord?id=CVE-2026-56235
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56235.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-56235
Aliases
  • GHSA-gfpq-vphf-6gcm
Published
2026-06-20T15:24:42.678Z
Modified
2026-07-08T08:57:33.636468882Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Capgo - Unauthenticated Cross-Tenant Metrics Disclosure via RPC Functions
Details

Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (getappmetrics, getglobalmetrics, gettotalmetrics) that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public Supabase API key (sbpublishable*) can query arbitrary org_id values to disclose cross-tenant usage telemetry (MAU, bandwidth, installs, gets), enumerate app IDs for a target org, and determine org existence via an oracle (valid org returns metrics, invalid returns []).

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56235.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-200"
    ]
}
References

Affected packages

Git / github.com/cap-go/capgo

Affected ranges

Type
GIT
Repo
https://github.com/cap-go/capgo
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "12.128.2"
        }
    ]
}

Affected versions

0.*
0.1.6
0.1.8
0.11.0
0.14.0
0.14.2
0.14.5
0.14.6
0.15.1
0.16.0
0.16.1
0.16.3
0.18.2
0.19.0
0.20.1
0.20.2
0.23.0
0.24.1
0.26.0
0.26.1
0.29.1
0.29.5
0.3.1
0.30.12
0.30.12-alpha.1
0.30.19
0.30.2
0.30.5-alpha.4
0.30.6-alpha.0
0.30.6-alpha.2
0.30.8-alpha.0
0.30.8-alpha.1
0.30.8-alpha.4
0.30.9-alpha.0
0.30.9-alpha.10
0.30.9-alpha.15
0.30.9-alpha.16
0.30.9-alpha.3
0.30.9-alpha.6
0.30.9-alpha.9
0.6.1
1.*
1.10.0
1.10.1
1.10.2
1.11.0
1.11.1
1.12.1
1.13.11
1.13.12
1.13.13
1.13.3
1.13.4
1.13.5
1.14.4
1.14.6
1.16.0-alpha.0
1.16.1-alpha.0
1.16.3-alpha.0
1.17.0
1.17.0-alpha.0
1.17.0-alpha.1
1.18.0
1.18.1
1.18.10
1.18.16
1.18.2
1.18.24
1.18.26
1.18.28
1.18.33
1.18.36
1.18.4
1.18.5
1.18.8
1.18.9
1.19.3
1.19.4
1.19.5
1.20.0
1.20.1
1.20.2
1.20.3
1.21.0
1.21.10
1.21.11
1.21.19
1.21.23
1.21.25
1.21.6
1.21.7
1.21.8
1.21.9
1.22.1
1.22.2
1.23.0
1.23.1
1.24.0
1.24.1
1.24.10
1.24.16
1.24.17
1.24.18
1.24.2
1.24.3
1.25.14
1.25.2
1.25.6
1.25.7
1.26.1
1.26.2
1.27.0
1.27.1
1.27.2
1.27.3
1.27.6
1.28.3
1.31.1
1.31.3
1.31.4
1.33.3
1.34.0
1.35.0
1.35.1
1.36.12
1.36.15
1.36.22
1.36.24
1.36.25
1.36.4
1.36.41
1.36.49
1.36.7
1.36.8
1.37.15
1.37.22
1.37.31
1.37.5
1.39.0
1.43.1
1.44.1
1.44.11
1.44.12
1.44.15
1.44.16
1.44.19
1.44.21
1.44.26
1.45.0
1.45.1
1.45.2
1.45.3
1.45.4
1.46.0
1.46.4
1.47.0
1.47.1
1.47.3
1.48.0
1.48.1
1.50.0
1.50.1
1.50.2
1.50.3
1.51.0
1.52.1
1.52.2
1.52.3
1.53.0
1.53.1
1.53.2
1.53.3
1.53.4
1.53.5
1.53.6
1.53.7
1.53.8
1.54.0
1.54.1
1.54.2
1.54.3
1.54.4
1.54.5
1.54.6
1.54.9
1.55.0
1.55.12
1.55.2
1.55.23
1.55.3
1.55.31
1.55.35
1.55.37
1.55.38
1.55.39
1.55.4
1.55.42
1.55.43
1.55.44
1.55.5
1.55.6
1.55.9
1.58.1
1.58.15
1.58.16
1.6.11
1.6.7
1.60.4
1.61.12
1.61.14
1.61.15
1.61.17
1.61.2
1.61.21
1.61.23
1.61.27
1.61.33
1.61.34
1.61.35
1.62.0
1.62.1
1.62.4
1.64.1
1.66.4
1.7.10
1.7.15
1.7.24
1.7.27
1.7.28
1.8.1
1.8.3
1.8.6
1.8.7-alpha.0
1.8.7-alpha.1
1.8.7-alpha.2
1.9.0-alpha.0
1.9.1
1.9.10
1.9.6
1.9.7
1.9.9
10.*
10.0.0
capgo-12.*
capgo-12.123.9
capgo-12.124.0
capgo-12.124.1
capgo-12.124.3
capgo-12.124.4
capgo-12.124.5
capgo-12.124.6
capgo-12.124.7
capgo-12.124.9
capgo-12.125.0
capgo-12.126.0
capgo-12.126.1
capgo-12.126.2
capgo-12.127.0
capgo-12.127.1
capgo-12.127.10
capgo-12.127.11
capgo-12.127.12
capgo-12.127.13
capgo-12.127.14
capgo-12.127.15
capgo-12.127.16
capgo-12.127.17
capgo-12.127.18
capgo-12.127.19
capgo-12.127.2
capgo-12.127.20
capgo-12.127.21
capgo-12.127.22
capgo-12.127.23
capgo-12.127.3
capgo-12.127.4
capgo-12.127.5
capgo-12.127.8
capgo-12.127.9
capgo-12.128.0
capgo-12.128.1
cli-7.*
cli-7.94.0
cli-7.94.1
cli-7.94.5
cli-7.94.6
cli-7.94.7
cli-7.94.8
cli-7.94.9
cli-7.95.0
cli-7.95.1
cli-7.95.10
cli-7.95.2
cli-7.95.3
cli-7.95.4
cli-7.95.5
cli-7.95.6
cli-7.95.7
cli-7.95.8
cli-7.95.9
v12.*
v12.100.0
v12.100.1
v12.100.10
v12.100.11
v12.100.12
v12.100.13
v12.100.14
v12.100.15
v12.100.3
v12.100.4
v12.100.5
v12.100.6
v12.100.7
v12.100.8
v12.100.9
v12.101.0
v12.101.1
v12.102.0
v12.102.1
v12.102.2
v12.102.3
v12.102.4
v12.102.6
v12.103.1
v12.104.2
v12.104.3
v12.105.0
v12.105.3
v12.105.4
v12.105.5
v12.105.6
v12.105.8
v12.105.9
v12.106.0
v12.106.1
v12.106.2
v12.107.0
v12.107.1
v12.107.10
v12.107.11
v12.107.19
v12.107.2
v12.107.20
v12.107.21
v12.107.22
v12.107.24
v12.107.26
v12.107.3
v12.107.4
v12.107.5
v12.107.6
v12.107.7
v12.107.8
v12.108.0
v12.108.1
v12.108.10
v12.108.11
v12.108.12
v12.108.13
v12.108.14
v12.108.15
v12.108.16
v12.108.17
v12.108.18
v12.108.19
v12.108.2
v12.108.3
v12.108.4
v12.108.5
v12.108.6
v12.108.7
v12.108.8
v12.108.9
v12.109.0
v12.109.1
v12.109.10
v12.109.11
v12.109.12
v12.109.13
v12.109.14
v12.109.15
v12.109.17
v12.109.2
v12.109.3
v12.109.4
v12.109.5
v12.109.6
v12.109.7
v12.109.8
v12.109.9
v12.110.0
v12.110.2
v12.110.3
v12.110.4
v12.110.5
v12.110.6
v12.111.1
v12.111.2
v12.111.3
v12.112.0
v12.112.1
v12.112.2
v12.112.3
v12.112.4
v12.112.5
v12.112.6
v12.113.0
v12.113.1
v12.113.2
v12.114.0
v12.114.1
v12.114.12
v12.114.2
v12.114.4
v12.114.6
v12.114.7
v12.114.9
v12.115.0
v12.115.2
v12.116.0
v12.116.1
v12.116.10
v12.116.11
v12.116.12
v12.116.13
v12.116.14
v12.116.15
v12.116.16
v12.116.17
v12.116.18
v12.116.19
v12.116.2
v12.116.20
v12.116.21
v12.116.22
v12.116.23
v12.116.24
v12.116.27
v12.116.28
v12.116.29
v12.116.3
v12.116.30
v12.116.33
v12.116.34
v12.116.39
v12.116.4
v12.116.40
v12.116.41
v12.116.45
v12.116.46
v12.116.47
v12.116.48
v12.116.49
v12.116.5
v12.116.50
v12.116.51
v12.116.52
v12.116.53
v12.116.54
v12.116.55
v12.116.56
v12.116.57
v12.116.58
v12.116.59
v12.116.6
v12.116.60
v12.116.61
v12.116.62
v12.116.63
v12.116.64
v12.116.65
v12.116.66
v12.116.67
v12.116.68
v12.116.69
v12.116.7
v12.116.70
v12.116.71
v12.116.72
v12.116.8
v12.116.9
v12.117.1
v12.117.2
v12.117.3
v12.117.4
v12.117.5
v12.117.6
v12.117.8
v12.118.0
v12.118.1
v12.118.2
v12.119.0
v12.119.10
v12.119.12
v12.119.13
v12.119.14
v12.119.15
v12.119.16
v12.119.17
v12.119.18
v12.119.19
v12.119.20
v12.119.21
v12.119.3
v12.119.4
v12.119.5
v12.119.6
v12.119.8
v12.119.9
v12.120.10
v12.120.11
v12.120.12
v12.120.13
v12.120.14
v12.120.15
v12.120.16
v12.120.19
v12.120.20
v12.120.4
v12.120.5
v12.120.6
v12.120.7
v12.120.8
v12.120.9
v12.121.0
v12.121.1
v12.121.10
v12.121.11
v12.121.2
v12.121.4
v12.121.5
v12.121.6
v12.121.7
v12.121.8
v12.121.9
v12.122.0
v12.122.1
v12.122.10
v12.122.11
v12.122.12
v12.122.13
v12.122.14
v12.122.15
v12.122.16
v12.122.2
v12.122.3
v12.122.4
v12.122.5
v12.122.6
v12.122.7
v12.122.8
v12.122.9
v12.123.0
v12.123.1
v12.123.2
v12.123.3
v12.123.4
v12.123.5
v12.123.6
v12.123.7
v12.123.8
v12.55.3
v12.55.4
v12.55.5
v12.55.8
v12.55.9
v12.56.0
v12.56.1
v12.56.10
v12.56.11
v12.56.12
v12.56.13
v12.56.14
v12.56.15
v12.56.16
v12.56.18
v12.56.2
v12.56.24
v12.56.25
v12.56.26
v12.56.4
v12.56.6
v12.56.7
v12.56.8
v12.56.9
v12.73.2
v12.84.5
v12.84.6
v12.85.0
v12.85.1
v12.85.2
v12.85.3
v12.85.4
v12.85.7
v12.85.8
v12.85.9
v12.86.0
v12.86.2
v12.87.1
v12.89.12
v12.89.14
v12.89.15
v12.89.16
v12.89.17
v12.89.5
v12.89.6
v12.89.9
v12.90.0
v12.90.1
v12.90.2
v12.90.3
v12.91.0
v12.91.1
v12.91.10
v12.91.12
v12.91.14
v12.91.15
v12.91.2
v12.91.3
v12.91.4
v12.91.5
v12.91.6
v12.91.7
v12.91.8
v12.91.9
v12.92.0
v12.93.0
v12.93.1
v12.93.2
v12.93.3
v12.93.4
v12.93.5
v12.93.6
v12.94.0
v12.94.1
v12.94.2
v12.94.6
v12.95.0
v12.96.0
v12.96.1
v12.96.2
v12.97.0
v12.97.1
v12.98.1
v12.98.2
v12.98.3
v12.99.0
v12.99.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56235.json"