CVE-2026-56235

Name of the Vulnerable Software and Affected Versions capgo versions prior to 12.128.2

Description An authorization bypass exists in several Supabase PostgREST RPC functions: get app metrics(), get global metrics(), and get total metrics(). These functions are granted to the anon role without enforcing permission checks or organization membership. An unauthenticated attacker with a public Supabase API key (sb publishable *) can query arbitrary org id values to disclose cross-tenant usage telemetry, including monthly active users (MAU), bandwidth, installs, and gets. Additionally, this allows for the enumeration of app IDs for a target organization and the determination of organization existence via an oracle, where a valid organization returns metrics and an invalid one returns an empty list.

Recommendations Update to version 12.128.2 or later. As a temporary workaround, restrict access to the get app metrics(), get global metrics(), and get total metrics() functions.