Lucene search
K

4 matches found

OSV
OSV
added last week1 views

CVE-2026-56226 Capgo - Unauthenticated Organization Data Disclosure via get_orgs_v6 RPC

Capgo Cap-go/capgo before 12.128.2 exposes the Supabase PostgREST RPC function public.getorgsv6userid uuid, which is SECURITY DEFINER and granted to the anon role, allowing unauthenticated access. Because the function accepts a caller-supplied user UUID without verifying it matches the...

8.7CVSS6.2AI score0.00255EPSS
Exploits0References4
CVE
CVE
added 2026/06/30 10:8 p.m.15 views

CVE-2026-56224

Capgo: vulnerability in console.capgo.app/login prior to version 12.128.2 allows access_token and refresh_token to be accepted in URL query parameters, leading to automatic user authentication without user confirmation. Practically, an attacker can craft a malicious link that lures a victim into ...

5.4CVSS5.8AI score0.00194EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/23 12:12 p.m.9 views

EUVD-2026-38430

Capgo before 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts plaintext API keys through the capgkey header despite enforcehashedapikeys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext API keys directly to th...

8.6CVSS5.9AI score0.00273EPSS
Exploits0References2
OSV
OSV
added 2026/06/21 1:26 p.m.3 views

CVE-2026-56229 Capgo - Cross-App Build Job Access via app_id/job_id Mismatch in /build/status and /build/logs

Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched appid and jobid combination. Limited API keys restricted to a single app can...

7.1CVSS6AI score0.00221EPSS
Exploits0References4
Rows per page
Query Builder