PT-2026-60114 · Cap Go · Cap-Go

Judel777

·

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-56339

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Capgo (Cap-go/capgo) before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST SECURITY DEFINER RPC function public.rescind invitation that allows unauthenticated attackers to enumerate organization existence. The function returns distinct error messages (NO ORG vs NO RIGHTS) when called with only a publishable API key, enabling attackers to discover valid organization IDs and increase the attack surface for targeted phishing or social engineering campaigns.

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56339

Affected Products

Cap-Go