CVE-2026-56235 Cap-go CVE debrief

Who should care

Organizations using Cap-go capgo versions prior to 12.128.2 should prioritize patching to prevent unauthorized access to usage telemetry and app IDs. Security teams and administrators responsible for maintaining Cap-go capgo installations are advised to review and apply the necessary updates.

Technical summary

The vulnerability exists in the Supabase PostgREST RPC functions get_app_metrics, get_global_metrics, and get_total_metrics, which are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker can use the public Supabase API key (sb_publishable_*) to query arbitrary org_id values, disclose cross-tenant usage telemetry (MAU, bandwidth, installs, gets), enumerate app IDs for a target org, and determine org existence via an oracle.

Defensive priority

Medium priority due to potential for unauthorized data disclosure and enumeration of app IDs.

Recommended defensive actions

• Inventory Cap-go capgo installations to identify versions prior to 12.128.2
• Review and apply the necessary updates to Cap-go capgo
• Monitor for unauthorized access attempts on Supabase PostgREST RPC functions
• Verify org membership and permission checks for RPC functions
• Limit exposure by restricting access to sensitive telemetry data

Evidence notes

The primary evidence for this vulnerability comes from the CVE record and the NVD detail page. The vulnerability affects Cap-go capgo versions prior to 12.128.2. The disclosure was made on June 20, 2026. Defenders should verify the affected versions and review the official advisories for more information.

Official resources