5 matches found
EUVD-2026-43170
Cap-go before 12.128.2 contains an information disclosure vulnerability in the public.transferapp RPC function that returns distinct error messages for existing versus non-existing app IDs. Unauthenticated attackers can enumerate valid app IDs by observing error message differences when calling...
CVE-2026-56327 Capgo - Unauthenticated Organization Existence Oracle via public.invite_user_to_org RPC
Capgo before 12.128.2 contains an information disclosure vulnerability in the public.inviteusertoorg RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable AP...
CVE-2026-56327
Capgo before 12.128.2 contains an information disclosure vulnerability in the public.inviteusertoorg RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable AP...
CVE-2026-56235
Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions getappmetrics, getglobalmetrics, gettotalmetrics that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public...
EUVD-2026-38100
Capgo before 12.128.2 contains an information disclosure vulnerability in Supabase PostgREST RPC endpoints istrialorg and ispayingorg that allows unauthenticated attackers to enumerate organizations and disclose billing status using the public sbpublishable key. Attackers can invoke these endpoin...