PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56248 Cap-go CVE debrief

CVE-2026-56248 is an unauthenticated denial-of-service vulnerability in Cap-go capgo (capgo-backend) before 12.128.12. The vulnerability arises from the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST API. Unfiltered queries to the public.audit_logs endpoint using the public anon key consistently trigger statement timeouts. Under concurrency, this exhausts database resources and causes cascading HTTP 500 failures on unrelated endpoints, resulting in an application-layer denial of service. The CVSS score for this vulnerability is 8.7, indicating a high severity. The vulnerability was published on June 23, 2026, and last modified on the same day.

Vendor
Cap-go
Product
capgo
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-23
Original CVE updated
2026-06-23
Advisory published
2026-06-23
Advisory updated
2026-06-23

Who should care

Organizations using Cap-go capgo (capgo-backend) before version 12.128.12 should be aware of this vulnerability and take necessary steps to mitigate it. This vulnerability can be exploited by unauthenticated attackers, making it a high-priority issue. The vulnerability's impact on the application layer can cause significant disruptions to services.

Technical summary

The vulnerability in Cap-go capgo (capgo-backend) before 12.128.12 is caused by the audit_logs table's Row-Level Security (RLS) policy. When accessed via the Supabase PostgREST API, unfiltered queries to the public.audit_logs endpoint using the public anon key consistently trigger statement timeouts (PostgREST error 57014). This occurs because the PostgreSQL query planner executes costly logic before RLS rejection. Under concurrency, this exhausts database resources and causes cascading HTTP 500 failures on unrelated endpoints (e.g., /orgs), resulting in an application-layer denial of service. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

High priority should be given to mitigating this vulnerability, as it can be exploited by unauthenticated attackers and has a high CVSS score of 8.7. Immediate action is necessary to prevent potential denial-of-service attacks.

Recommended defensive actions

  • Update Cap-go capgo (capgo-backend) to version 12.128.12 or later.
  • Implement additional monitoring to detect potential exploitation attempts.
  • Review and adjust the RLS policy for the audit_logs table to prevent similar vulnerabilities.
  • Consider implementing rate limiting or query restrictions on the public.audit_logs endpoint.
  • Verify and enhance the security of the Supabase PostgREST API.

Evidence notes

The evidence for this vulnerability comes from the NVD and the CVE record. The CVE record provides a detailed description of the vulnerability, while the NVD provides additional information on the vulnerability's impact and CVSS score. The source item URL provides further details on the vulnerability and its exploitation.

Official resources

This article is AI-assisted and based on the supplied source corpus.