CVE-2026-56244— Capgo - Webhook Signing Secret Disclosure via Non-Admin API Key
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-56244
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Capgo - Webhook Signing Secret Disclosure via Non-Admin API Key
Source: NVD (National Vulnerability Database)
Vulnerability Description
Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets via Supabase REST due to insufficient row-level security policies on the webhooks table. Attackers can retrieve the webhook secret and forge valid X-Capgo-Signature headers to send authenticated webhook events to configured receivers, breaking webhook authenticity and integrity.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-56244
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-56244
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-56244 (1)
Other References for CVE-2026-56244 (1)
Same Patch Batch · Capgo · 2026-06-24 · 10 CVEs total
| CVE-2026-56237 | 9.1 CRITICAL | Capgo - Unauthenticated API Key Generation via Client-Side Parameter Manipulation |
| CVE-2026-56232 | 8.8 HIGH | Capgo - Subkey Scope Bypass in middlewareKey via x-limited-key-id Header |
| CVE-2026-56223 | 8.7 HIGH | Capgo - Account Takeover via Cross-Domain SSO Email Assertion in provision-user |
| CVE-2026-56231 | 7.6 HIGH | Capgo - Broken Object Level Authorization in Build Job Control via jobId Parameter |
| CVE-2026-56256 | 7.1 HIGH | Capgo - Two-Factor Authentication Bypass via Organization Management API |
| CVE-2026-56257 | 7.1 HIGH | Capgo - Authorization Bypass in App Ownership Transfer via Direct PostgREST Update |
| CVE-2026-56302 | 6.5 MEDIUM | Capgo - Unsecured Supabase Images Bucket via Missing Row Level Security |
| CVE-2026-56337 | 5.3 MEDIUM | Capgo - Information Disclosure via Unauthenticated RPC Function exist_app_v2 |
| CVE-2026-56338 | 5.3 MEDIUM | Capgo - Denial of Service in 2FA Email Verification via /auth/v1/otp Endpoint |
IV. Related Vulnerabilities
Same product: Capgo
- CVE-2026-56338
Capgo - Denial of Service in 2FA Email Verification via /aut - CVE-2026-56337
Capgo - Information Disclosure via Unauthenticated RPC Funct - CVE-2026-56310
Cap-go - Authorization Bypass in Organization Members Endpoi - CVE-2026-56302
Capgo - Unsecured Supabase Images Bucket via Missing Row Lev - CVE-2026-56257
Capgo - Authorization Bypass in App Ownership Transfer via D
Same vendor: Capgo
- CVE-2026-56338
Capgo - Denial of Service in 2FA Email Verification via /aut - CVE-2026-56337
Capgo - Information Disclosure via Unauthenticated RPC Funct - CVE-2026-56302
Capgo - Unsecured Supabase Images Bucket via Missing Row Lev - CVE-2026-56257
Capgo - Authorization Bypass in App Ownership Transfer via D - CVE-2026-56256
Capgo - Two-Factor Authentication Bypass via Organization Ma
Same weakness: CWE-200
- CVE-2026-57231
Podman: Malformed Image can trick podman run into leaking ho - CVE-2026-55180
pnpm: Repository config can expand victim environment secret - CVE-2026-50017
pnpm binds unscoped user-level npm auth credentials to a rep - CVE-2026-52815
Gogs: Unauthenticated Organization Teams Information Disclos - CVE-2026-53949
Ghost Content API filter bypass reveals private fields
V. Comments for CVE-2026-56244
No comments yet