CVE-2026-56213

MEDIUM 5.3

Capgo - Unauthenticated Cross-Tenant Metrics Poisoning via upsert_version_meta RPC

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.upsert_version_meta SECURITY DEFINER function exposed via PostgREST RPC, allowing unauthenticated attackers to insert arbitrary rows into version_meta for any app_id. Attackers can exploit this by calling the RPC endpoint with a public anon key to poison storage metrics, causing persistent false data in dashboards and triggering incorrect alerts across victim applications.

CWE	CWE-862
Vendor	capgo
Product	capgo
Published	Jun 20, 2026

Stay Ahead of the Next One

Get instant alerts for capgo capgo

Be the first to know when new medium vulnerabilities affecting capgo capgo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

Capgo / Capgo

0 < 12.128.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Cap-go/capgo/security/advisories/GHSA-g4hx-x8gc-x6rw vulncheck.com: https://www.vulncheck.com/advisories/capgo-unauthenticated-cross-tenant-metrics-poisoning-via-upsert-version-meta-rpc

Credits

🔍 Judel777