Capgo prior to version 12.128.2 has an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics). These functions are granted to the anon Supabase role without enforcing organization membership or permission checks. An unauthenticated attacker who only has the public Supabase API key (sb_publishable_*) can query arbitrary org_id values and pull cross‑tenant usage telemetry such as monthly active users, bandwidth, installs, and API calls. The vulnerability enables the attacker to enumerate application identifiers within a target organization and to determine whether an organization exists by observing whether metrics are returned or an empty array is returned, effectively leaking internal business data and exposing competitive intelligence.

Cap-go Capgo products running any version before 12.128.2 are affected. The vulnerability resides in the Supabase PostgREST RPC layer that interfaces with Capgo’s backend. No other Capgo versions or components are listed as impacted.

The CVSS score of 6.9 indicates a moderate severity. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires only possession of the public Supabase API key, which is typically documented or embedded in client applications. The attack path is straightforward: a malicious actor sends RPC calls with arbitrary org_id parameters using the publishable key and retrieves sensitive telemetry. The lack of org membership checks and the public nature of the key make this a low‑barrier breach that can be performed from anywhere over the internet.