CVE-2026-56302

EUVD-2026-38749
Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delete all icons and leak sensitive app IDs and user IDs.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
Common Weakness Enumeration
References
https://github.com/Cap-go/capgo/security/advisories/GHSA-8hq3-gg3m-vwvr
https://www.vulncheck.com/advisories/capgo-unsecured-supabase-images-bucket-via-missing-row-level-security
https://github.com/Cap-go/capgo/security/advisories/GHSA-8hq3-gg3m-vwvr