39 matches found
CVE-2026-56235
Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions getappmetrics, getglobalmetrics, gettotalmetrics that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public...
CVE-2026-56214
Capgo before 12.128.2 contains an information disclosure vulnerability in Supabase PostgREST RPC endpoints istrialorg and ispayingorg that allows unauthenticated attackers to enumerate organizations and disclose billing status using the public sbpublishable key. Attackers can invoke these endpoin...
CVE-2026-56213
Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.upsertversionmeta SECURITY DEFINER function exposed via PostgREST RPC, allowing unauthenticated attackers to insert arbitrary rows into versionmeta for any appid. Attackers can exploit this by calling the RPC...
CVE-2026-56214
Capgo up to version 12.128.1 is affected by an information disclosure in Supabase PostgREST RPC endpoints is_trial_org and is_paying_org, allowing unauthenticated attackers to enumerate organizations and reveal billing status using the public sb_publishable key. Impact is high for confidentiality...
EUVD-2026-38100
Capgo before 12.128.2 contains an information disclosure vulnerability in Supabase PostgREST RPC endpoints istrialorg and ispayingorg that allows unauthenticated attackers to enumerate organizations and disclose billing status using the public sbpublishable key. Attackers can invoke these endpoin...
CVE-2026-56213
Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.upsertversionmeta SECURITY DEFINER function exposed via PostgREST RPC, allowing unauthenticated attackers to insert arbitrary rows into versionmeta for any appid. Attackers can exploit this by calling the RPC...
EUVD-2026-38099
Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.upsertversionmeta SECURITY DEFINER function exposed via PostgREST RPC, allowing unauthenticated attackers to insert arbitrary rows into versionmeta for any appid. Attackers can exploit this by calling the RPC...
PT-2026-51149
Name of the Vulnerable Software and Affected Versions capgo versions prior to 12.128.2 Description An authorization bypass exists in several Supabase PostgREST RPC functions: get app metrics, get global metrics, and get total metrics. These functions are granted to the anon role without enforcing...
PT-2026-51043
Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An authorization bypass exists in the public.upsert version meta SECURITY DEFINER function exposed via PostgREST RPC. This allows unauthenticated attackers to insert arbitrary rows into version meta...
CVE-2026-56082
Capgo Cap-go/capgo before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST RPC function public.recordbuildtime, which is granted to the anon role and callable with only the public Supabase publishable sbpublishable anon key. An unauthenticated attacker...
CVE-2026-56079
Capgo before 12.128.2 contains a cross-tenant authorization bypass in PostgREST endpoints that lets org-scoped read API keys access other tenants’ webhook secrets and delivery logs. Attackers can query webhooks and webhook_deliveries to exfiltrate HMAC signing secrets and delivery payloads, enabl...
CVE-2026-56079 Capgo - Cross-Tenant Authorization Bypass via PostgREST Webhook Access
Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs. Attackers can query the webhooks and webhookdeliveries endpoints to exfiltrate HMAC signing...
PT-2026-51040
Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description Improper access control exists in the SECURITY DEFINER PostgREST RPC function public.record build time. This function is granted to the anon role and can be called using only the public Supabase...
PT-2026-51037
Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description A cross-tenant authorization bypass exists in PostgREST endpoints. This issue allows API keys with organization-level read permissions to access webhook secrets and delivery logs belonging to other...
CVE-2025-67259
A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST...
EUVD-2025-209575
A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST...
PT-2026-34882
A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST...
CVE-2025-67259
Affects ClassroomIO v0.1.13. A Broken Access Control vulnerability allows an authenticated low-privilege student to access unauthorized course information by altering intercepted API requests. Specifically, changing a captured POST request to a GET against the /rest/v1/course PostgREST endpoint e...
PostgREST API Server Detected
PostgREST is a standalone web server that turns your PostgreSQL database directly into a RESTful API. By default, PostgREST does not implement any authentication or access control mechanisms, which can lead to unauthorized access to sensitive data if the server is exposed to untrusted networks...