Capgo - Webhook Signing Secret Disclosure via Non-Admin API Key | Advisories

Advisories

Capgo - Webhook Signing Secret Disclosure via Non-Admin API Key

severity: high
date: 6/24/2026
Affecting: Capgo >= 0, < 12.128.2
CVE: CVE-2026-56244
CWE: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVSS: 7.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
References: GitHub Security Advisory (GHSA-qrrx-x3qf-x87v)
Credit: Judel777
Description: Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets via Supabase REST due to insufficient row-level security policies on the webhooks table. Attackers can retrieve the webhook secret and forge valid X-Capgo-Signature headers to send authenticated webhook events to configured receivers, breaking webhook authenticity and integrity.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo