CVE-2026-56302 | Capgo before 12.128.2 contains an unsecured images bucket la… | CVSS 6.5 MEDIUM

Description

Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delete all icons and leak sensitive app IDs and user IDs.

Metadata

CVE ID: CVE-2026-56302
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 12:49 UTC
Published: 2026-06-24 11:53 UTC
Last updated: 2026-06-24 11:53 UTC
Primary CWE: CWE-284
Improper Access Control
Vendor / Product: Capgo / Capgo
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected products (1)

Vendor	Product	Platform	Versions
Capgo	Capgo	—	0 < 12.128.2, 12.128.2

Weakness (CWE)

CWE	Source	Description
CWE-284	cna	Improper Access Control

CVSS scores (2)

Score	Severity	Version	Source	Vector
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
6.5	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (2)

GitHub Security Advisory (GHSA-8hq3-gg3m-vwvr) https://github.com/Cap-go/capgo/security/advisories/GHSA-8hq3-gg3m-vwvr
VulnCheck Advisory: Capgo - Unsecured Supabase Images Bucket via Missing Row Level Security https://www.vulncheck.com/advisories/capgo-unsecured-supabase-images-bucket-via-missing-row-level-security