Description
Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delete all icons and leak sensitive app IDs and user IDs.
Published: 2026-06-24
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A misconfigured Supabase images bucket in Capgo before 12.128.2 lacks row level security, permitting unauthenticated users to read, insert, and delete app icons. This allows attackers to gather sensitive app IDs and user IDs, as well as delete all stored icons. The primary impact is information disclosure and the potential loss of critical display assets, which could affect the integrity of the application‑hosted content.

Affected Systems

Capgo deployments running any version earlier than 12.128.2 are affected. The vulnerability exists in the Supabase bucket handling the images storage for app icons.

Risk and Exploitability

The CVSS base score of 6.9 indicates medium severity. No exploit probability score is provided, and the vulnerability is not listed as an actively exploited vulnerability in the CISA KEV catalog. The vulnerability can be triggered by unauthenticated HTTP requests to the Supabase bucket; exploitation does not require special privileges or zero‑day exploits. Attackers can straightforwardly delete or read icons, and leak app and user identifiers by directly accessing the bucket location.

Generated by OpenCVE AI on June 24, 2026 at 13:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later to eliminate the unsecured bucket configuration.
  • Configure the Supabase images bucket to enforce row level security and revoke any public or unauthenticated access permissions.
  • Monitor bucket logs for unauthorized read, write, or delete activities and respond promptly to detected incidents.

Generated by OpenCVE AI on June 24, 2026 at 13:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Cap-go
Cap-go cap-go
Vendors & Products Cap-go
Cap-go cap-go

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delete all icons and leak sensitive app IDs and user IDs.
Title Capgo - Unsecured Supabase Images Bucket via Missing Row Level Security
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cap-go Cap-go
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T14:54:24.090Z

Reserved: 2026-06-20T12:49:17.830Z

Link: CVE-2026-56302

cve-icon Vulnrichment

Updated: 2026-06-24T14:37:35.788Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:45:06Z

Weaknesses