VYPR
Vypr IntelligenceAI-generatedJun 20, 2026· 21 CVEs

Capgo: 21 CVEs Disclosed Together — Unauthenticated Cross-Tenant Bugs and Scope Escalation Lead the Batch

Capgo disclosed 21 security vulnerabilities on June 19–20, including unauthenticated cross-tenant bugs, scope escalation, and authentication flaws — all patched in versions 12.128.2 and 12.128.12.

Key findings

  • 21 CVEs disclosed together on June 19–20, 2026, all patched in versions 12.128.2 and 12.128.12
  • Four unauthenticated cross-tenant bugs target Supabase PostgREST RPC functions granted to the anon role
  • CVE-2026-56216 allows app-limited API keys to escalate to unrestricted org-wide keys
  • CVE-2026-56215 enables SSO account takeover by poisoning the public.users.email field
  • CVE-2026-56081 lets attackers lock victims out of accounts by pre-registering with their email
  • No active exploitation reported as of disclosure

Capgo, the open-source mobile app distribution platform built on Supabase, disclosed 21 distinct security vulnerabilities on June 19–20, 2026, revealing systemic authorization weaknesses across its multi-tenant architecture. The batch includes unauthenticated cross-tenant bugs, scope escalation flaws, authentication logic errors, and information disclosure issues — all patched in versions 12.128.2 and 12.128.12.

Unauthenticated Cross-Tenant Bugs in Supabase RPC Endpoints

A cluster of four CVEs target Supabase PostgREST RPC functions that are granted to the anon role without enforcing org membership. CVE-2026-56235 exposes cross-tenant metrics via get_app_metrics, get_global_metrics, and get_total_metrics — callable with only the public Supabase publishable key. CVE-2026-56213 allows unauthenticated attackers to poison version metadata for any app by calling public.upsert_version_meta. CVE-2026-56214 lets attackers enumerate organizations and disclose billing status via is_trial_org and is_paying_org RPCs. CVE-2026-56082 enables billing log tampering through public.record_build_time. Together, these bugs demonstrate that Capgo's RPC-layer authorization relied on Supabase's default anon role rather than explicit org-scoped checks.

Scope Escalation and Authorization Bypass

CVE-2026-56216 is a particularly dangerous scope escalation: an attacker with a compromised app-limited API key can call POST /functions/v1/apikey with empty limits to mint an unrestricted org-wide key. CVE-2026-56295 bypasses the require_apikey_expiration policy for non-expiring legacy keys in webhook management. CVE-2026-56079 allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs via PostgREST endpoints. CVE-2026-56215 enables SSO account takeover by letting authenticated users modify their public.users.email to a victim's corporate SSO email, which the provisioning endpoint trusts as a merge key.

Authentication and Account Takeover Flaws

CVE-2026-56081 lets an attacker pre-register an account with a victim's email before verification, then enable 2FA to lock the victim out. CVE-2026-56073 bypasses OTP verification entirely by manipulating server responses. CVE-2026-56212 allows a user to enable mandatory 2FA for all team members without having 2FA on their own account. CVE-2026-56080 causes the password-compliance state to never update after a Super Admin sets a compliant password, triggering repeated forced password changes. CVE-2026-56228 lets an org admin set a minimum password length of billions of characters, making compliance impossible.

Information Disclosure and Open Redirect

CVE-2026-56282 exposes internal PostgreSQL replication telemetry (slot names, WAL LSN positions) via an unauthenticated /replication endpoint. CVE-2026-56319 creates an app existence oracle: app-limited API keys can distinguish real sibling app IDs through differential 500 PGRST116 errors. CVE-2026-56218 fails to strip EXIF metadata including GPS coordinates from uploaded images. Two open redirects — CVE-2026-56332 (unvalidated confirmation_url) and CVE-2026-56330 (unvalidated Stripe billing URLs) — enable phishing attacks.

Additional Bugs

CVE-2026-56325 uses SQL ILIKE wildcard matching for app_id lookup, allowing underscore characters to act as wildcards and cause app confusion. CVE-2026-56307 breaks cursor pagination in the /private/devices endpoint, causing duplicate-page loops. CVE-2026-56227 allows SSRF via webhook URLs pointing to loopback addresses.

Response and Patch Status

All 21 vulnerabilities were fixed in Capgo versions 12.128.2 and 12.128.12. No active exploitation has been reported as of the disclosure date Vypr Intelligence. Users are strongly advised to upgrade to the latest patched version immediately. The batch reveals that Capgo's multi-tenant Supabase architecture had systemic authorization gaps — particularly around RPC functions granted to the anon role and API key scope enforcement — that required fixes across authentication, API key management, and data access layers.

AI-written article. Grounded in 21 CVE records listed below.