CVE-2026-56213

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2

Description An authorization bypass exists in the public.upsert version meta() SECURITY DEFINER function exposed via PostgREST RPC. This allows unauthenticated attackers to insert arbitrary rows into version meta for any app id by calling the RPC endpoint with a public anon key. This can be used to poison storage metrics, resulting in persistent false data in dashboards and the triggering of incorrect alerts across victim applications.

Recommendations Update to version 12.128.2 or later. As a temporary workaround, restrict access to the public.upsert version meta() function to minimize the risk of exploitation.