CVE-2026-56311 | Capgo before 12.128.2 contains an authorization bypass vulne… | CVSS 5.3 MEDIUM

Description

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.get_current_plan_max_org RPC function that allows unauthenticated attackers to retrieve arbitrary organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase key to disclose billing information including MAU, bandwidth, storage, and build time limits for any organization.

Metadata

CVE ID: CVE-2026-56311
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 12:53 UTC
Published: 2026-06-22 21:04 UTC
Last updated: 2026-06-22 21:04 UTC
Primary CWE: CWE-285
Improper Authorization
Vendor / Product: Capgo / Capgo
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
Capgo	Capgo	—	0 < 12.128.2, 12.128.2

Weakness (CWE)

CWE	Source	Description
CWE-285	cna	Improper Authorization

CVSS scores (2)

Score	Severity	Version	Source	Vector
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
5.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (2)

GitHub Security Advisory (GHSA-v3jp-r95g-x4mm) https://github.com/Cap-go/capgo/security/advisories/GHSA-v3jp-r95g-x4mm
VulnCheck Advisory: Capgo - Unauthenticated Cross-Tenant Disclosure via get_current_plan_max_org RPC https://www.vulncheck.com/advisories/capgo-unauthenticated-cross-tenant-disclosure-via-get-current-plan-max-org-rpc