Capgo: 25 CVEs Disclosed in Single Batch — Auth Bypasses, SQLi, and Missing RLS

Key findings

• 25 CVEs disclosed together, all fixed in Capgo 12.128.2 (two in 12.128.12)
• Multiple authentication and authorization bypasses, including 2FA bypass at the API level
• Subkey and scope enforcement can be defeated via the x-limited-key-id header
• Unauthenticated information disclosure via RPC functions and missing RLS policies
• SQL injection in Cloudflare Analytics Engine queries (CVE-2026-56221)
• Privilege inversion allows read-only keys to cancel builds via SSE disconnect

Capgo, the open-source mobile app distribution platform built on Supabase, disclosed 25 security vulnerabilities in a coordinated batch on June 22–24, 2026, all fixed in version 12.128.2 (and 12.128.12 for two CVEs). The disclosure reveals a systemic failure in the platform's authorization, authentication, and data-access layers, with bugs spanning SQL injection, authentication bypass, information disclosure, denial of service, and privilege escalation. The sheer breadth of the batch — and the fact that many flaws are exploitable by unauthenticated attackers or low-privilege API keys — makes this one of the most consequential security events for the Capgo ecosystem to date.

Authentication & Authorization Bypasses

A cluster of CVEs targets Capgo's broken authentication and authorization logic. CVE-2026-56237 allows unauthenticated API key generation via client-side parameter manipulation, because the backend fails to validate that keys are securely generated and bound to the authenticated user. CVE-2026-56256 bypasses mandatory two-factor authentication at the backend: the UI enforces 2FA, but sensitive Organization management API endpoints do not validate 2FA completion server-side, so an Admin who has not enabled 2FA can still modify org details or invite users. CVE-2026-56310 lets org-limited API keys bypass limited_to_orgs restrictions on the GET /organization/members endpoint, leaking membership data (uid, email, image_url, role) from other organizations. CVE-2026-56225 similarly bypasses app-scoped key restrictions in API key management handlers, allowing an app-scoped key to enumerate, update, or delete keys belonging to other apps.

Subkey & Scope Enforcement Failures

Several CVEs expose weaknesses in Capgo's subkey and scope enforcement. CVE-2026-56232 and CVE-2026-56306 both involve the x-limited-key-id header: the first allows attackers to bypass limited_to_orgs and limited_to_apps constraints by referencing their own subkeys, causing downstream handlers to use the unrestricted parent key; the second exploits weak header parsing — malformed values, zero, or duplicate headers that produce NaN or falsy values — to disable limited-key enforcement entirely.

Information Disclosure & Enumeration

Unauthenticated information disclosure is a recurring theme. CVE-2026-56337 exposes the public.exist_app_v2 RPC function, letting unauthenticated attackers enumerate app_ids by calling POST /rest/v1/rpc/exist_app_v2 with arbitrary appid parameters. CVE-2026-56323 and CVE-2026-56322 both target the /channel_self and /updates endpoints, enabling unauthenticated channel enumeration and private-channel probing. CVE-2026-56311 lets unauthenticated attackers retrieve arbitrary organization plan limits via the public.get_current_plan_max_org RPC function using only the public Supabase key.

Data Integrity & Storage Misconfigurations

CVE-2026-56302 reveals that Capgo's Supabase images bucket lacks any row-level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons — leaking sensitive app IDs and user IDs. CVE-2026-56257 allows direct patching of public.apps.owner_org through PostgREST, bypassing the transfer_app() workflow and creating split-brain ownership where old-org keys retain access to version data. CVE-2026-56245 lets unauthenticated attackers poison build-time accounting records via the record_build_time RPC function, potentially corrupting billing data.

SQL Injection & Denial of Service

CVE-2026-56221 is a standout: multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization. Authenticated users with read-level API keys can inject arbitrary SQL through Cloudflare Analytics Engine queries. On the denial-of-service front, CVE-2026-56338 prevents email verification for two-factor authentication by returning HTTP 500 errors from the /auth/v1/otp endpoint; CVE-2026-56248 exploits a costly RLS policy on the audit_logs table to cause denial of service via unfiltered PostgREST queries; and CVE-2026-56255 allows unlimited demo app creation without rate limiting, generating ~138 database rows per invocation.

Privilege Inversion & Account Takeover

CVE-2026-56280 is a particularly dangerous privilege inversion: the GET /build/logs/:jobId endpoint registers an abort listener on the SSE stream that unconditionally calls cancelBuildOnDisconnect() using the privileged server-side BUILDER_API_KEY, so a read-only API key holder can cancel running native builds. CVE-2026-56223 enables cross-domain SSO account takeover by allowing attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization.

Response & Patch Status

All 25 CVEs are addressed in Capgo version 12.128.2, with two exceptions: CVE-2026-56248 and CVE-2026-56314 were fixed in version 12.128.12. The vendor has not published a standalone advisory, but the fixes are included in the standard release channel. Users of Capgo should upgrade to 12.128.2 (or 12.128.12 for the two outliers) immediately. No in-the-wild exploitation has been reported at the time of disclosure.

This batch underscores the risks of building on a platform-as-a-service layer like Supabase without rigorous security review of RPC functions, RLS policies, and API key scoping. For Capgo users — particularly those managing enterprise orgs with SSO and 2FA — the cluster of authentication and authorization bypasses means that trust boundaries within the platform were effectively absent. The disclosure should serve as a catalyst for a broader audit of Capgo's backend security model.