CVE-2026-56242

Capgo before 12.128.2 contains an unauthenticated security definer RPC function get identity apikey only that returns the owning user id for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys to confirm key validity and map keys to user identifiers, then chain results into other exposed RPCs like get orgs v6 to retrieve organization membership and management email PII.