Description
Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST API. Because the PostgreSQL query planner executes costly logic before RLS rejection, unfiltered queries to the public.audit_logs endpoint using the public anon key consistently trigger statement timeouts (PostgREST error 57014). Under concurrency, this exhausts database resources and causes cascading HTTP 500 failures on unrelated endpoints (e.g. /orgs), resulting in an application-layer denial of service.
Published: 2026-06-23
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo’s backend before version 12.128.12 allows any unauthenticated user to invoke the audit_logs endpoint via Supabase PostgREST. The row‑level security policy for the audit_logs table triggers a costly PostgreSQL query planner operation before rejecting the request, which consistently causes statement timeouts. When multiple clients send such requests concurrently, database resources are exhausted and other endpoints experience cascading HTTP 500 failures, resulting in an application‑layer denial of service. The CVSS score of 8.7 reflects the severity of this disruption to service availability.

Affected Systems

The affected product is Cap-go:capgo, specifically the capgo-backend component. All releases earlier than 12.128.12 are vulnerable; versions 12.128.12 and later have applied the fix. No other vendors or products are listed as affected.

Risk and Exploitability

This vulnerability is remotely exploitable by any party with access to the public anon key, which is typically publicly available in the default Supabase configuration. The lack of authentication requirement means an attacker can easily craft requests. Although the EPSS score is not published, the high CVSS rating, combined with the potential for resource exhaustion and cascading failures, indicates a high risk of exploitation. The vulnerability is not yet listed in CISA’s KEV catalog, but its impact on service availability warrants immediate attention.

Generated by OpenCVE AI on June 23, 2026 at 13:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.12 or later to apply the vendor patch.
  • Reconfigure Supabase to remove public access to the audit_logs endpoint or enforce stricter row‑level security so that anonymous requests cannot trigger the expensive query logic.
  • Apply rate limiting or increase statement timeout thresholds at the database or reverse‑proxy level to mitigate large numbers of concurrent requests.

Generated by OpenCVE AI on June 23, 2026 at 13:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST API. Because the PostgreSQL query planner executes costly logic before RLS rejection, unfiltered queries to the public.audit_logs endpoint using the public anon key consistently trigger statement timeouts (PostgREST error 57014). Under concurrency, this exhausts database resources and causes cascading HTTP 500 failures on unrelated endpoints (e.g. /orgs), resulting in an application-layer denial of service.
Title Capgo - Unauthenticated Denial-of-Service via audit_logs RLS Policy
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T13:25:06.551Z

Reserved: 2026-06-19T21:53:16.001Z

Link: CVE-2026-56248

cve-icon Vulnrichment

Updated: 2026-06-23T13:24:45.660Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T13:30:03Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption