PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56311 Capgo CVE debrief

CVE-2026-56311 is a medium-severity vulnerability in Capgo, a cloud-based service, that allows unauthenticated attackers to bypass authorization and retrieve organization plan limits. The vulnerability is located in the public.get_current_plan_max_org RPC function. Attackers can exploit this vulnerability by calling the RPC endpoint with any organization UUID and the public Supabase key to disclose sensitive billing information, including MAU, bandwidth, storage, and build time limits for any organization. This vulnerability was publicly disclosed on June 22, 2026, and the CVE record was last modified on June 23, 2026. The vendor, Capgo, has not provided a canonical source for this vulnerability.

Vendor
Capgo
Product
Unknown
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-22
Original CVE updated
2026-06-23
Advisory published
2026-06-22
Advisory updated
2026-06-23

Who should care

Organizations using Capgo services should be aware of this vulnerability, as it allows unauthenticated attackers to access sensitive billing information. Security teams and administrators responsible for cloud-based services should prioritize patching or mitigating this vulnerability to prevent potential data breaches.

Technical summary

CVE-2026-56311 is an authorization bypass vulnerability in the public.get_current_plan_max_org RPC function of Capgo. The vulnerability has a CVSS score of 6.9 and a medium severity rating. The vulnerability allows unauthenticated attackers to retrieve arbitrary organization plan limits by calling the RPC endpoint with any organization UUID and the public Supabase key. This vulnerability can be exploited without authentication, and the attacker does not need to have any prior knowledge of the organization's internal structure.

Defensive priority

Medium priority should be given to patching or mitigating this vulnerability, as it allows unauthenticated access to sensitive billing information. Security teams should work to identify and update affected Capgo instances.

Recommended defensive actions

  • Review and apply patches or updates provided by Capgo to address this vulnerability.
  • Restrict access to the public.get_current_plan_max_org RPC function to authenticated users only.
  • Monitor Capgo services for suspicious activity and implement additional security controls to prevent exploitation.
  • Perform a thorough inventory of Capgo instances and ensure they are up-to-date with the latest security patches.
  • Consider implementing compensating controls, such as Web Application Firewalls (WAFs), to detect and prevent exploitation attempts.

Evidence notes

The CVE record for CVE-2026-56311 was obtained from the National Vulnerability Database (NVD). The vulnerability was publicly disclosed on June 22, 2026, and the CVE record was last modified on June 23, 2026. The vendor, Capgo, has not provided a canonical source for this vulnerability. Additional information was obtained from Vulncheck, which provided details on the vulnerability and its impact.

Official resources

This article is AI-assisted and based on the supplied source corpus.