CVE 6.9 MEDIUM

Capgo – Unauthenticated Cross-Tenant Metrics Poisoning via upsert_version_meta RPC_CVE-2026-56213

June 19, 2026 invoker category_cve
6.9 / 10
MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Description

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.upsert_version_meta SECURITY DEFINER function exposed via PostgREST RPC, allowing unauthenticated attackers to insert arbitrary rows into version_meta for any app_id. Attackers can exploit this by calling the RPC endpoint with a public anon key to poison storage metrics, causing persistent false data in dashboards and triggering incorrect alerts across victim applications.

Basic Information

ID CVE-2026-56213
Source VulnCheck
Published Jun 20, 2026 at 00:14

Affected Product

Vendor Capgo
Product Capgo
Affected Versions Capgo Capgo 0

CWE Classification

CWE-862

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.