PatchSiren cyber security CVE debrief
CVE-2026-56284 Cap-go CVE debrief
The CVE record for CVE-2026-56284 was published on 2026-07-08T14:17:16.100Z and has not been modified since then. The NVD entry is currently Deferred. This information disclosure vulnerability in Capgo (Cap-go/capgo) before version 12.128.2 allows unauthenticated attackers to probe organization existence and leak sensitive usage metrics. The vulnerability is related to the Supabase PostgREST RPC function public.get_total_metrics(org_id). Users of Capgo (Cap-go/capgo) before version 12.128.2 should be aware of this information disclosure vulnerability and take necessary actions to mitigate the risk.
- Vendor
- Cap-go
- Product
- capgo
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-08
Who should care
Users of Capgo (Cap-go/capgo) before version 12.128.2 should be aware of this information disclosure vulnerability. This includes operators, administrators, and security teams responsible for managing and securing Capgo deployments. The vulnerability allows unauthenticated attackers to probe organization existence and leak sensitive usage metrics, which could have implications for the security and privacy of affected organizations.
Technical summary
The Supabase PostgREST RPC function public.get_total_metrics(org_id) in Capgo (Cap-go/capgo) before 12.128.2 contains an information disclosure vulnerability. An unauthenticated attacker can probe organization existence and leak sensitive usage metrics, including MAU, bandwidth, and install counts, by sending POST requests to /rest/v1/rpc/get_total_metrics with valid organization UUIDs. The vulnerability has a CVSS score of 6.9 and is classified as MEDIUM severity. The CVE record and NVD entry provide limited information about the vulnerability, and further investigation is necessary to fully understand the impact and scope.
Defensive priority
Medium priority due to the CVSS score of 6.9 and the potential for sensitive information disclosure.
Recommended defensive actions
- Update Capgo to version 12.128.2 or later
- Restrict access to the Supabase PostgREST RPC function public.get_total_metrics(org_id)
- Monitor for suspicious activity on the /rest/v1/rpc/get_total_metrics endpoint
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record and NVD entry provide limited information about the vulnerability. Further investigation and verification are necessary to fully understand the impact and scope of the vulnerability. The Supabase PostgREST RPC function public.get_total_metrics(org_id) in Capgo (Cap-go/capgo) before 12.128.2 contains an information disclosure vulnerability. An unauthenticated attacker can probe organization existence and leak sensitive usage metrics, including MAU, bandwidth, and install counts, by sending POST requests to /rest/v1/rpc/get_total_metrics with valid organization UUIDs. However, details about the specific metrics leaked and the potential impact on affected organizations are not provided in the CVE record or NVD entry.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T14:17:16.100Z and has not been modified since then. The NVD entry is currently Deferred.