CVE-2026-56311
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
Capgo before version 12.128.2 contains an authorization bypass vulnerability in the public.get_current_plan_max_org RPC function that allows unauthenticated attackers to retrieve organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase key to disclose billing information.
Risk Assessment
This vulnerability may lead to the disclosure of sensitive organizational information, posing risks of financial abuse and data privacy violations. Organizations could face financial and reputational losses.
Recommendation
It is recommended to upgrade to Capgo version 12.128.2 or later to mitigate this vulnerability. Additionally, implementing further authorization mechanisms for RPC endpoints is advisable.
Original NVD description (English source)
Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.get_current_plan_max_org RPC function that allows unauthenticated attackers to retrieve arbitrary organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase key to disclose billing information including MAU, bandwidth, storage, and build time limits for any organization.

