CVE-2026-56302 PUBLISHED

Capgo - Unsecured Supabase Images Bucket via Missing Row Level Security

Assigner: VulnCheck
Reserved: 20.06.2026 Published: 24.06.2026 Updated: 24.06.2026

Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delete all icons and leak sensitive app IDs and user IDs.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor Capgo
Product Capgo
Versions Default: unaffected
  • affected from 0 to 12.128.2 (excl.)
  • Version 12.128.2 is unaffected

Credits

  • WcaleNieWolny reporter

References

Problem Types

  • Improper Access Control CWE