The vulnerability arises from the missing authentication middleware on the GET /private/role_bindings/:org_id endpoint in Capgo’s backend Supabase edge functions prior to version 12.128.2. Without the global authentication guard, unauthenticated HTTP GET requests bypass the middleware layer and reach the handler. Though the handler contains its own authorization check that currently returns an Unauthorized response, the inconsistency allows a potential authorisation bypass if the handler logic is changed or if the check is omitted in future updates.

Affected systems include the Capgo backend service provided by Capgo, specifically deployments running the 12.127.x or earlier releases of the Capgo backend Supabase edge functions. Versions before 12.128.2 do not enforce authentication on the GET /private/role_bindings endpoint, whereas POST and DELETE routes are correctly protected. Applications that rely on this functionality and have integrated the unpatched backend are vulnerable.

The CVSS score of 6.9 indicates a medium severity risk, and the vulnerability is not listed in the CISA KEV catalog. EPSS data is not available, so the exact exploitation probability is unknown. The likely attack vector is an unauthenticated HTTP GET request to /private/role_bindings/:org_id. If an attacker achieves bypass by modifying the handler logic, they could access protected role binding information, potentially escalating privileges. Current mitigations are limited to the pending patch; until then, monitoring for any unauthorized GET requests and ensuring strict access controls in downstream services is advised.