CVE-2026-56238: Capgo - Unauthenticated Information Disclosure via PostgREST global_stats Endpoint
Capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST global_stats endpoint that allows unauthenticated attackers to read sensitive financial and operational metrics using only the public apikey. Remote attackers can query the /rest/v1/global_stats endpoint to expose MRR, total revenue, plan-tier revenue breakdown, customer counts, and operational telemetry.
Security readout for executives and security teams
Plain-English summary
Capgo versions before 12.128.2 exposed sensitive business metrics through an unauthenticated API path. An outside party with only the public API key could read financial and operational data such as MRR, revenue breakdowns, customer counts, and telemetry. This is a confidentiality issue, not a system takeover issue based on the provided sources.
Executive priority
Treat as high priority where Capgo is internet-facing or stores sensitive commercial metrics. The main business risk is disclosure of revenue, customer, and operational data. Prioritize upgrade and exposure review; no source currently confirms active exploitation.
Technical view
CVE-2026-56238 is a CWE-200 information disclosure in Capgo’s Supabase PostgREST global_stats endpoint. The advisory describes unauthenticated remote access using the public apikey. CVSS v4.0 is 8.7, driven by network reachability, low complexity, no privileges, no user interaction, and high vulnerable-system confidentiality impact.
Likely exposure
Organizations running Capgo before 12.128.2 are the likely exposure group. Risk is highest where the affected PostgREST API is reachable from untrusted networks and uses the public apikey model described in the advisory.
Exploitation context
The sources describe remote unauthenticated data exposure, but do not cite active exploitation. CISA KEV status in the provided bundle is false. The disclosed data could support competitive intelligence, customer targeting, or business-sensitive reconnaissance.
Researcher notes
Evidence is limited to the CVE record, GitHub advisory, and VulnCheck advisory. The provided CVSS vector indicates confidentiality impact only, with no integrity or availability impact. Avoid assuming broader Capgo components are affected beyond the described global_stats PostgREST endpoint.
Mitigation direction
Upgrade Capgo to version 12.128.2 or later.
Review the GitHub advisory for vendor-specific remediation guidance.
Restrict unauthenticated access to sensitive PostgREST data endpoints.
Review Supabase/PostgREST authorization policies for global_stats exposure.
Monitor API logs for unexpected anonymous access to global_stats.
Validation and detection
Inventory all Capgo deployments and record running versions.
Confirm exposed deployments are on 12.128.2 or later.
Verify global_stats is not anonymously readable in production.
Review logs for unusual access to business-metrics endpoints.
Document any exposed metrics for incident assessment.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-200: Information exposure and cloud metadata lookup
Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
0ADP providers
3Source links
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.