Capgo - Unauthenticated Organization Member Email Disclosure via get_org_members RPC

An unauthenticated attacker who knows an organization's UUID (`guild_id`) can invoke the Supabase RPC endpoint `POST /rest/v1/rpc/get_org_members` using only the public `sb_publishable_*` key (the anon key). The `user_id` parameter is accepted but never validated — the function performs `PERFORM user_id;` and discards it [ref_id=1]. The response returns the full member list including email addresses, user IDs, roles (e.g. super_admin, admin), and pending invitation data from `tmp_users`, enabling PII disclosure and cross-tenant enumeration.

The vulnerable endpoint is the Supabase RPC function `public.get_org_members(user_id uuid, guild_id uuid)` defined in `supabase/migrations/20260102120000_fix_get_org_members_include_tmp_users.sql`. The function is marked `SECURITY DEFINER` and executes `PERFORM user_id;` without any authentication or authorization check, so the `user_id` parameter is ignored entirely. The function returns `users.email`, `uid`, `role`, and pending invitation data from `public.tmp_users` for the supplied `guild_id`.

The advisory states the fix was released in version 12.128.2 but does not include a patch diff. The remediation must add an access control check inside `get_org_members` that verifies the caller's `auth.uid()` is a member of the requested `guild_id` before returning member data. Without such a check, the function continues to expose PII to any caller who possesses the public anon key and an org UUID.