Capgo - Unauthenticated Channel Enumeration and App Oracle via GET /channel_self
Description
Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channel_self endpoint that allows unauthenticated attackers to enumerate non-public channel names and determine app existence and subscription status. Remote attackers can send GET requests with arbitrary app_id parameters to disclose internal rollout channels, enumerate valid applications across tenants, and leak billing status without authentication or device binding.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing authentication and permission checks in the channel_self GET handler allow unauthenticated callers to invoke listCompatibleChannels() and receive internal channel metadata."
Attack vector
An unauthenticated attacker sends a GET request to `/functions/v1/channel_self` with an arbitrary `app_id` parameter. The server returns channel metadata (including non-public channel names like `dev` and `beta`) for valid apps, an `app_not_found` error for non-existent apps, and an HTTP 429 `need_plan_upgrade` response for apps whose subscription has lapsed [ref_id=1]. This oracle lets attackers enumerate valid application IDs across tenants and probe billing status without any authentication, device binding, or API key.
Affected code
The unauthenticated GET handler in `supabase/functions/channel_self/index.ts` and `supabase/functions/_backend/plugins/channel_self.ts` does not call `checkPermission()`, does not require `device_id` in `jsonRequestSchemaGet`, and passes `requireDevice=false` to `parsePluginBody()`, allowing anyone to call `listCompatibleChannels()` without authentication [ref_id=1].
What the fix does
The advisory recommends three mitigations: require `device_id` and verify the device is already bound to the app before listing channels; only return channels where `public = true` for unauthenticated requests; or normalize all unauthenticated failure responses to remove the app/plan oracle [ref_id=1]. No patch diff is included in the bundle, so the exact code changes are not shown.
Preconditions
- authNo authentication, API key, or device binding required
- inputAttacker must know or guess a valid Supabase project URL
- inputAttacker supplies an arbitrary app_id query parameter
Generated on Jun 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/Cap-go/capgo/security/advisories/GHSA-469v-6vw5-hxpqmitrevendor-advisory
- www.vulncheck.com/advisories/capgo-unauthenticated-channel-enumeration-and-app-oracle-via-get-channel-selfmitrethird-party-advisory
News mentions
0No linked articles in our index yet.