Capgo: Ten Vulnerabilities Disclosed Together, Including Scope Escalation and Unauthenticated Cross-Tenant Bugs
Key findings • CVE-2026-56216 allows app-limited API keys to escalate to unrestricted org-wide keys • Four unauthenticated CVEs target Supabase PostgREST RPC endpoints for cross-tenant attack…
Key findings
- CVE-2026-56216 allows app-limited API keys to escalate to unrestricted org-wide keys
- Four unauthenticated CVEs target Supabase PostgREST RPC endpoints for cross-tenant attacks
- CVE-2026-56215 enables SSO account takeover by poisoning the public.users.email field
- CVE-2026-56081 lets attackers lock victims out of accounts by pre-registering with their email
- All bugs fixed in versions 12.128.2 and 12.128.12; no active exploitation reported
- The batch reveals systemic authorization weaknesses in Capgo's multi-tenant Supabase architecture
Ten Vulnerabilities Hit Capgo in a Single Disclosure Batch
Capgo, the open-source mobile app distribution platform built on Supabase, disclosed ten distinct security vulnerabilities on June 19–20, 2026, all patched in versions 12.128.2 and 12.128.12. The batch spans authentication logic flaws, authorization bypasses, information disclosure, and a critical scope-escalation bug — several of which can be chained to achieve full tenant compromise without any prior authentication.
Scope Escalation and Account Takeover
The most severe vulnerability is **CVE-2026-56216**, a scope-escalation flaw in the POST /functions/v1/apikey endpoint. An attacker who compromises an app-limited API key can mint an unrestricted key by supplying empty limits, gaining org-wide access to app listings and resources. **CVE-2026-56215** enables account takeover via SSO provisioning: an authenticated attacker can change their public.users.email to a victim's corporate SSO email, causing the provision-user endpoint to merge the victim's SSO identity into the attacker's account. **CVE-2026-56081** allows an attacker to register an account with a victim's email before verification, enable 2FA on that account, and permanently lock the victim out of their own email-bound account.
Unauthenticated Cross-Tenant Attacks
Four vulnerabilities require no authentication at all. **CVE-2026-56214** exposes Supabase RPC endpoints is_trial_org and is_paying_org to unauthenticated callers, enabling organization enumeration and billing-status disclosure using only the public sb_publishable key. **CVE-2026-56213** lets an unauthenticated attacker call the public.upsert_version_meta SECURITY DEFINER function to insert arbitrary rows into version_meta for any app_id, poisoning cross-tenant metadata. **CVE-2026-56082** similarly abuses the public.record_build_time RPC function — also callable with only the public anon key — to insert billing log rows for any tenant. **CVE-2026-56079** allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs via PostgREST endpoints, exfiltrating HMAC signing secrets.
Authentication Logic Flaws
**CVE-2026-56212 describes a 2FA enforcement logic flaw: a user with permission to manage team security settings can mandate 2FA for all team members without having enabled 2FA on their own account. CVE-2026-56080 affects the Enforce Password Policy feature — after a Super Admin enables the policy and changes their password to a compliant one, the backend fails to update the compliance state, repeatedly forcing password changes. CVE-2026-56073** allows attackers to bypass email OTP verification entirely by intercepting and manipulating HTTP responses to falsely mark verification as successful.
Patch Status and Mitigation
Capgo addressed the majority of the disclosed vulnerabilities in version 12.128.2. One exception is **CVE-2026-56215 (the SSO account-merge bug), which required a fix in version 12.128.12**. All users running versions prior to these releases should upgrade immediately. No in-the-wild exploitation has been publicly reported as of the disclosure date.
Why This Batch Matters
This disclosure reveals systemic weaknesses in Capgo's authorization layer, particularly around Supabase PostgREST RPC functions that were inadvertently exposed to unauthenticated or low-privilege callers. The concentration of cross-tenant bugs — four of the ten CVEs — underscores the risk of multi-tenant platforms built on shared database schemas with insufficient row-level security. Capgo users should treat this batch as a signal to audit their tenant isolation boundaries and ensure they are running at least version 12.128.12.