CVE-2026-56321 | Capgo (backend Supabase edge functions) before 12.128.2 does… | CVSS 5.3 MEDIUM

Description

Capgo (backend Supabase edge functions) before 12.128.2 does not apply the global authentication middleware to the GET /private/role_bindings/:org_id endpoint, unlike the POST and DELETE role_bindings routes, so unauthenticated requests reach the handler instead of being rejected at the middleware layer. The handler still performs its own authorization check and returns Unauthorized, so no direct data exposure occurs; the flaw is inconsistent authentication enforcement across HTTP methods that could enable authorization bypass if the handler logic changes.

Metadata

CVE ID: CVE-2026-56321
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 12:59 UTC
Published: 2026-06-22 21:04 UTC
Last updated: 2026-06-22 21:04 UTC
Primary CWE: CWE-306
Missing Authentication for Critical Function
Vendor / Product: Capgo / Capgo
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
Capgo	Capgo	—	0 < 12.128.2, 12.128.2

Weakness (CWE)

CWE	Source	Description
CWE-306	cna	Missing Authentication for Critical Function

CVSS scores (2)

Score	Severity	Version	Source	Vector
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
5.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (2)

GitHub Security Advisory (GHSA-6c9f-9v99-26ww) https://github.com/Cap-go/capgo/security/advisories/GHSA-6c9f-9v99-26ww
VulnCheck Advisory: Capgo - Missing Authentication Middleware on GET /private/role_bindings Endpoint https://www.vulncheck.com/advisories/capgo-missing-authentication-middleware-on-get-private-role-bindings-endpoint