CVE Catalog

CVE-2026-56248

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Summary

Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST API.

Risk Assessment

Unauthenticated queries can lead to database resource exhaustion, resulting in cascading HTTP 500 errors on unrelated endpoints, jeopardizing application availability.

Recommendation

It is recommended to upgrade to version 12.128.12 or later to mitigate this vulnerability and to monitor queries to the public audit_logs endpoint.

Original NVD description (English source)

Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST API. Because the PostgreSQL query planner executes costly logic before RLS rejection, unfiltered queries to the public.audit_logs endpoint using the public anon key consistently trigger statement timeouts (PostgREST error 57014). Under concurrency, this exhausts database resources and causes cascading HTTP 500 failures on unrelated endpoints (e.g. /orgs), resulting in an application-layer denial of service.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS