CVE-2026-56213
MEDIUM · 5.3Real vuln with vendor patch but no exploitation signal yet; advisory age <2 hours limits visibility.
What: Authorization bypass in Capgo <12.128.2 affecting the public.upsert_version_meta SECURITY DEFINER function exposed via PostgREST RPC, allowing unauthenticated cross-tenant metrics poisoning.
Why it matters: Published today (June 20, 2026); enables unauthenticated attackers to manipulate metrics across tenant boundaries. No KEV listing yet, CVSS/EPSS not yet available. Vendor patch (12.128.2) already exists, suggesting coordinated disclosure and rapid response.
Where it's seen: Automated CVE feeds and security aggregators amplifying the advisory within hours of publication. No working PoC, in-the-wild exploitation reports, or defender triage signals observed yet—only initial advisory chatter.
RISK: ELEVATED — Unauthenticated bypass affecting multi-tenant application; patch available but early adoption unknown.
Description
Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.upsert_version_meta SECURITY DEFINER function exposed via PostgREST RPC, allowing unauthenticated attackers to insert arbitrary rows into version_meta for any app_id. Attackers can exploit this by calling the RPC endpoint with a public anon key to poison storage metrics, causing persistent false data in dashboards and triggering incorrect alerts across victim applications.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- None
- Integrity
- Low
- Availability
- None