CVE-2026-56214

hype MOSTLY HYPE · 32 hack

Vendor patch released same-day, but no exploitation signal, KEV, or PoC; standard coordinated disclosure chatter.

What: Capgo before v12.128.2 leaks organization membership and billing status via unauthenticated Supabase PostgREST RPC endpoints (is_trial_org, is_paying_org).

Why it matters: Posts confirm vendor patched in v12.128.2 same-day (June 20, 2026); information disclosure allows account enumeration and competitive intelligence. No KEV listing, CVSS/EPSS unavailable, no PoC or in-the-wild exploitation signal yet—early coordinated disclosure pattern.

Where it's seen: Social media alert accounts (CVEnew, infoflowcloud, Bluesky) broadcasting advisory summary within hours of patch release; no researcher PoC, defender triage, or incident reports visible.

RISK: MODERATE — Unauthenticated info disclosure with rapid vendor patch; limited immediate impact surface.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 6/20/2026, 3:09:44 AM

No NVD details ingested for this CVE yet.