Description
Capgo before 12.128.2 contains an information disclosure vulnerability in Supabase PostgREST RPC endpoints is_trial_org and is_paying_org that allows unauthenticated attackers to enumerate organizations and disclose billing status using the public sb_publishable key. Attackers can invoke these endpoints to determine organization existence via distinguishable return values and identify paying customers for targeted profiling.
Published: 2026-06-20
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo versions prior to 12.128.2 contain an information disclosure flaw in the Supabase PostgREST RPC endpoints is_trial_org and is_paying_org. The endpoints are reachable with the public sb_publishable key and return distinct responses that reveal whether a particular organization exists and whether it is a paying customer. An unauthenticated attacker can simply send HTTP requests to these endpoints and learn sensitive billing status, which can be used for profiling or other malicious purposes.

Affected Systems

Any Capgo deployment running a version earlier than 12.128.2 that exposes the is_trial_org and is_paying_org RPC endpoints is affected. The vulnerability applies to all installations that allow unsupervised access to these endpoints through the public sb_publishable key.

Risk and Exploitability

The CVSS score of 8.7 classifies this as a high‑severity vulnerability. Although no EPSS score is available and the issue is not listed in the CISA KEV catalog, the lack of authentication makes the exploit low effort. An attacker only needs the publicly provided key and does not require credentials; responding states differ between existing and non‑existing organizations, allowing enumeration. The risk is that an attacker can compile a list of paying customers and gain insight into the billing structure of the organization.

Generated by OpenCVE AI on June 20, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later to remove the vulnerable endpoints and apply the vendor’s fix.
  • Apply access controls to the is_trial_org and is_paying_org RPC endpoints, requiring proper authentication before they can be invoked.
  • Revoke or regenerate the public sb_publishable key and limit its usefulness, ensuring that no endpoint that discloses sensitive information is exposed through this key.
  • Monitor usage of the former RPC endpoints for anomalous traffic patterns and investigate any unsolicited requests.

Generated by OpenCVE AI on June 20, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains an information disclosure vulnerability in Supabase PostgREST RPC endpoints is_trial_org and is_paying_org that allows unauthenticated attackers to enumerate organizations and disclose billing status using the public sb_publishable key. Attackers can invoke these endpoints to determine organization existence via distinguishable return values and identify paying customers for targeted profiling.
Title Capgo - Unauthenticated Organization Enumeration and Billing Status Disclosure via Supabase RPC
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T00:14:37.599Z

Reserved: 2026-06-19T21:43:24.737Z

Link: CVE-2026-56214

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T01:30:05Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor