Capgo - Unauthenticated Cross-Tenant Metrics Disclosure via RPC Functions
Description
Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public Supabase API key (sb_publishable_*) can query arbitrary org_id values to disclose cross-tenant usage telemetry (MAU, bandwidth, installs, gets), enumerate app IDs for a target org, and determine org existence via an oracle (valid org returns metrics, invalid returns []).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing authorization checks in three Supabase PostgREST RPC functions that are granted to the anon role, allowing any caller with the public API key to query usage telemetry for arbitrary org IDs."
Attack vector
An unauthenticated attacker possessing only the public Supabase API key (`sb_publishable_*`) can send POST requests to the affected RPC endpoints, supplying any `org_id` UUID. Valid org UUIDs return usage telemetry (MAU, bandwidth, installs, gets, app IDs), while random UUIDs return an empty array `[]`, creating an oracle that reveals whether an org exists. [ref_id=1]
Affected code
The three Supabase PostgREST RPC functions `get_app_metrics`, `get_global_metrics`, and `get_total_metrics` are granted to the `anon` role in `supabase/schemas/prod.sql` and accept an arbitrary `org_id` parameter without performing any authorization checks (e.g., no `check_min_rights` or membership enforcement). [ref_id=1]
What the fix does
The advisory does not include a patch diff, but the fix requires adding authorization checks (e.g., `check_min_rights` or org membership enforcement) inside each of the three RPC functions before returning data, and revoking the `GRANT ALL ... TO anon` privilege on those functions so they are no longer callable with only the public API key. [ref_id=1]
Preconditions
- inputAttacker must have the public Supabase API key (sb_publishable_*), which is typically exposed to clients.
- inputAttacker must know or guess a valid org UUID to query; the oracle behavior helps enumerate valid orgs.
Generated on Jun 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/Cap-go/capgo/security/advisories/GHSA-gfpq-vphf-6gcmmitrevendor-advisory
- www.vulncheck.com/advisories/capgo-unauthenticated-cross-tenant-metrics-disclosure-via-rpc-functionsmitrethird-party-advisory
News mentions
0No linked articles in our index yet.