Capgo - Unauthenticated Organization Enumeration and Billing Status Disclosure via Supabase RPC

An unauthenticated attacker sends POST requests to `/rest/v1/rpc/is_trial_org` and `/rest/v1/rpc/is_paying_org` using the public `sb_publishable_*` API key as both the `apikey` header and Bearer token. The `is_trial_org` endpoint returns an integer (0) for an existing org UUID and `null` for a non-existent org, creating an existence oracle. The `is_paying_org` endpoint returns `true` or `false`, disclosing the organization's billing status. By iterating over candidate org UUIDs, an attacker can enumerate valid organizations and identify paying customers for targeted profiling. [ref_id=1]

The Supabase PostgREST RPC endpoints `is_trial_org` and `is_paying_org` (on project `xvwzpoazmxkqosrdewyv`) are the affected code paths. These endpoints do not require authentication and return distinguishable values depending on whether the supplied `org_id` exists or is a paying customer. [ref_id=1]

The advisory [ref_id=1] recommends restricting these RPCs to authenticated contexts with org membership validation, or requiring privileged/service credentials. It also suggests returning uniform responses for invalid or non-member org IDs to eliminate the oracle behavior. The patch (in Capgo version 12.128.2) implements these changes by adding authorization checks, ensuring unauthenticated callers can no longer distinguish between existing and non‑existent orgs or learn billing status.