Capgo - Unauthenticated API Key Validity Oracle and User Identity Disclosure via get_identity_apikey_only RPC

An unauthenticated attacker can call `get_identity_apikey_only` using the public anon API key (`sb_publishable_*`) by sending a POST request to the Supabase REST endpoint with a `capgkey` header. A valid key returns the owning `user_id` (UUID), while an invalid key returns `null`, creating an API key validity oracle [ref_id=1]. The attacker can then chain the leaked `user_id` into the similarly exposed `get_orgs_v6(userid)` RPC to retrieve organization membership details and the `management_email` (PII) [ref_id=1]. No authentication is required beyond the public anon key.

The vulnerability resides in the Supabase RPC function `public.get_identity_apikey_only(keymode[])`, defined in `supabase/migrations/20250530233128_base.sql`. The function is declared `SECURITY DEFINER` and explicitly granted to the `anon` role via `GRANT ALL ON FUNCTION ... TO "anon"`. Additionally, broad default privileges (`ALTER DEFAULT PRIVILEGES ... GRANT ALL ON FUNCTIONS TO "anon"`) increase exposure. The chained endpoint `get_orgs_v6(userid)` is also callable by anon and returns `management_email` (PII) without authorization checks.

The advisory recommends revoking anon access to `get_identity_apikey_only` via `REVOKE ALL ON FUNCTION public.get_identity_apikey_only(...) FROM anon;` and similarly reviewing/revoking anon access for related identity helpers (`get_identity_org_allowed`, `get_identity_org_appid`, `get_identity(keymode[])`) [ref_id=1]. It also advises removing the broad `GRANT ALL ON FUNCTIONS/TABLES TO anon` default privileges in favor of explicit grants, and ensuring `get_orgs_v6(userid)` enforces authorization (e.g., `auth.uid() = userid`) and stops returning `management_email` to unauthorized callers [ref_id=1]. The patched version is 12.128.2.