Capgo - Password Spraying via Public-Key Accessible Credential Validation Endpoint
Description
Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validate_password_compliance endpoint that is callable using only the public Supabase key without authentication. The endpoint is CORS-permissive with wildcard origin allowance and lacks rate limiting, enabling attackers to perform password spraying and credential stuffing attacks to compromise user accounts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"The POST endpoint uses a privileged server-side auth client to validate credentials but is accessible with only the public Supabase key, has no rate limiting or captcha, and allows CORS wildcard origins."
Attack vector
An attacker can call `POST /functions/v1/private/validate_password_compliance` using only the public Supabase key (`sb_publishable_*`), without any user session. The endpoint permits cross-origin requests via `access-control-allow-origin: *` and does not enforce captcha or observable rate limiting [ref_id=1]. Because the server-side credential check returns success on valid credentials, an attacker can automate repeated credential guessing—password spraying or credential stuffing—to discover working credentials for user accounts [ref_id=1].
Affected code
The advisory identifies `supabase/functions/_backend/private/validate_password_compliance.ts` as the vulnerable endpoint. It calls `supabaseAdmin.auth.signInWithPassword({ email, password })` server-side, returning a uniform `401 invalid_credentials` on failure but confirming valid credentials on success [ref_id=1].
What the fix does
The advisory states that the patched version is 12.128.2 but does not include a diff or specific code change [ref_id=1]. The recommended remediation is to require an authenticated user session (or restrict the endpoint to internal/admin use), enforce server-side captcha/Turnstile verification, add strict rate limiting (per IP, per account, and per org), and consider removing privileged credential verification from this function entirely [ref_id=1].
Preconditions
- inputAttacker must possess the public Supabase key (sb_publishable_*), which is intended for client-side use and is not a secret.
- networkThe endpoint must be exposed and reachable over the network; no authenticated user session is required.
Reproduction
The bundle includes a full PoC: a curl command that sends a cross-origin request with the public key, and a bash script demonstrating 50 rapid requests without any 429 (rate-limit) response, confirming no throttling is enforced [ref_id=1].
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/Cap-go/capgo/security/advisories/GHSA-f6v3-xv4g-79h5mitrevendor-advisory
- www.vulncheck.com/advisories/capgo-password-spraying-via-public-key-accessible-credential-validation-endpointmitrethird-party-advisory
News mentions
0No linked articles in our index yet.