CVE-2026-56079

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2

Description A cross-tenant authorization bypass exists in PostgREST endpoints. This issue allows API keys with organization-level read permissions to access webhook secrets and delivery logs belonging to other tenants. An attacker can query the "/webhooks" and "/webhook deliveries" endpoints to exfiltrate HMAC (Hash-based Message Authentication Code) signing secrets and delivery payloads, which can be used to forge webhook events against victim organizations.

Recommendations Update to version 12.128.2 or later.