Description
Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.get_current_plan_max_org RPC function that allows unauthenticated attackers to retrieve arbitrary organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase key to disclose billing information including MAU, bandwidth, storage, and build time limits for any organization.
Published: 2026-06-22
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo before version 12.128.2 contains an authorization bypass in the public.get_current_plan_max_org RPC. This flaw allows attackers who are not authenticated to query any organization UUID with only the public Supabase key, thereby exposing plan limits such as monthly active users, bandwidth, storage, and build time. The primary impact is the disclosure of confidential billing and usage data, which could assist adversaries in reconstructing organizational size or planning further attacks.

Affected Systems

The vulnerability affects installations of Capgo using the Capgo:Capgo product. Any instance running a version earlier than 12.128.2 is susceptible. No specific operating system or deployment environment is listed, so all configurations running the affected Capgo instance are at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity; the ecosystem risk is amplified because attackers only need the public Supabase key, which is widely distributed. The EPSS data is unavailable, but the failure mode does not require code execution or privileged access, only unauthenticated read access. Because the KEV catalog does not list this vulnerability, there is no evidence of widespread exploitation yet, but the ability to retrieve billing information could be exploited for targeted phishing or social engineering. The attack vector is external via the public RPC endpoint.

Generated by OpenCVE AI on June 22, 2026 at 23:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later
  • Apply role-based access control to the public.get_current_plan_max_org RPC to prevent unauthenticated access
  • Restrict the distribution of the public Supabase key and enforce authentication for RPC calls

Generated by OpenCVE AI on June 22, 2026 at 23:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.get_current_plan_max_org RPC function that allows unauthenticated attackers to retrieve arbitrary organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase key to disclose billing information including MAU, bandwidth, storage, and build time limits for any organization.
Title Capgo - Unauthenticated Cross-Tenant Disclosure via get_current_plan_max_org RPC
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T21:04:47.535Z

Reserved: 2026-06-20T12:53:19.893Z

Link: CVE-2026-56311

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T23:45:04Z

Weaknesses