CVE-2026-56234

EUVD-2026-38429
Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validate_password_compliance endpoint that is callable using only the public Supabase key without authentication. The endpoint is CORS-permissive with wildcard origin allowance and lacks rate limiting, enabling attackers to perform password spraying and credential stuffing attacks to compromise user accounts.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://github.com/Cap-go/capgo/security/advisories/GHSA-f6v3-xv4g-79h5
https://www.vulncheck.com/advisories/capgo-password-spraying-via-public-key-accessible-credential-validation-endpoint
https://github.com/Cap-go/capgo/security/advisories/GHSA-f6v3-xv4g-79h5