Description
Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.upsert_version_meta SECURITY DEFINER function exposed via PostgREST RPC, allowing unauthenticated attackers to insert arbitrary rows into version_meta for any app_id. Attackers can exploit this by calling the RPC endpoint with a public anon key to poison storage metrics, causing persistent false data in dashboards and triggering incorrect alerts across victim applications.
Published: 2026-06-20
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A function exposed via PostgREST RPC, specifically public.upsert_version_meta, bypasses authentication in Capgo releases prior to 12.128.2. The function allows an unauthenticated attacker to insert arbitrary rows into the version_meta table for any app_id. This results in persistent false data appearing in storage metrics dashboards and can trigger incorrect alerts across victim applications.

Affected Systems

Any Capgo instance running a version older than 12.128.2. The vulnerability is independent of application configuration because the vulnerable RPC is exposed publicly and can be accessed with the default anonymous key.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate risk, and the exploitability is high because the RPC endpoint is publicly reachable and requires no authentication. Attackers need only send a single request to the upsert_version_meta RPC with an anonymous key, which is typically available on any public installation. The vulnerability is not listed in CISA KEV and no EPSS score is available, but the straightforward exploitation path and potential for disruptive false metrics make it a priority to remediate.

Generated by OpenCVE AI on June 20, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or newer if available
  • Restrict or remove the public.upsert_version_meta RPC from the PostgREST configuration, ensuring that only authenticated roles can invoke it
  • Audit existing version_meta entries for anomal data and reset any incorrectly injected rows to restore accurate metrics

Generated by OpenCVE AI on June 20, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.upsert_version_meta SECURITY DEFINER function exposed via PostgREST RPC, allowing unauthenticated attackers to insert arbitrary rows into version_meta for any app_id. Attackers can exploit this by calling the RPC endpoint with a public anon key to poison storage metrics, causing persistent false data in dashboards and triggering incorrect alerts across victim applications.
Title Capgo - Unauthenticated Cross-Tenant Metrics Poisoning via upsert_version_meta RPC
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T00:14:36.846Z

Reserved: 2026-06-19T21:43:24.737Z

Link: CVE-2026-56213

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T01:30:05Z

Weaknesses