CVE-2026-56311

MEDIUM 5.3

Capgo - Unauthenticated Cross-Tenant Disclosure via get_current_plan_max_org RPC

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.get_current_plan_max_org RPC function that allows unauthenticated attackers to retrieve arbitrary organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase key to disclose billing information including MAU, bandwidth, storage, and build time limits for any organization.

CWE	CWE-285
Vendor	capgo
Product	capgo
Published	Jun 22, 2026

Stay Ahead of the Next One

Get instant alerts for capgo capgo

Be the first to know when new medium vulnerabilities affecting capgo capgo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

Capgo / Capgo

0 < 12.128.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Cap-go/capgo/security/advisories/GHSA-v3jp-r95g-x4mm vulncheck.com: https://www.vulncheck.com/advisories/capgo-unauthenticated-cross-tenant-disclosure-via-get-current-plan-max-org-rpc

Credits

🔍 Judel777