Description
Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets via Supabase REST due to insufficient row-level security policies on the webhooks table. Attackers can retrieve the webhook secret and forge valid X-Capgo-Signature headers to send authenticated webhook events to configured receivers, breaking webhook authenticity and integrity.
Published: 2026-06-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo before version 12.128.2 allows non‑admin API keys to read webhook signing secrets via the Supabase REST interface because the webhooks table does not enforce proper row‑level security policies. An attacker who obtains a non‑admin key can retrieve the secret and forge an X‑Capgo‑Signature header, then send authenticated events to any configured receiver. This defeats the authenticity and integrity guarantees of the webhook, enabling data tampering, fraud, or further access to protected resources. The weakness is a disclosure of sensitive information as defined by CWE‑200.

Affected Systems

The vulnerability affects Capgo deployments running any version earlier than 12.128.2. System administrators should verify whether their Capgo instance is on a release prior to that version and identify any non‑admin API keys in use.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact when the conditions are met. Because EPSS is not available the likelihood of exploitation is uncertain, but the issue is not listed in the CISA KEV catalog, suggesting it is considered a moderate‑to‑high risk but not yet widely exploited. Attackers need only possess a non‑admin API key and access the public Supabase endpoint; therefore the attack vector is external via normal API calls.

Generated by OpenCVE AI on June 24, 2026 at 13:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Capgo version 12.128.2 or later to restore proper row‑level security on the webhooks table.
  • Revoke any non‑admin API keys that have been granted access to webhook resources and tighten RLS policies to prevent read access to secrets by non‑admin users.
  • After applying the patch, regenerate any exposed webhook signing secrets, ensure they are stored securely, and validate incoming webhook signatures against the stored secret.

Generated by OpenCVE AI on June 24, 2026 at 13:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Cap-go
Cap-go cap-go
Vendors & Products Cap-go
Cap-go cap-go

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets via Supabase REST due to insufficient row-level security policies on the webhooks table. Attackers can retrieve the webhook secret and forge valid X-Capgo-Signature headers to send authenticated webhook events to configured receivers, breaking webhook authenticity and integrity.
Title Capgo - Webhook Signing Secret Disclosure via Non-Admin API Key
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cap-go Cap-go
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T12:48:00.963Z

Reserved: 2026-06-19T21:53:16.001Z

Link: CVE-2026-56244

cve-icon Vulnrichment

Updated: 2026-06-24T12:47:29.096Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:45:06Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor