PostgREST API Key Enforcement Bypass in Capgo

Capgo versions before 12.128.2 contain a critical security control bypass where the PostgREST/RLS (Row Level Security) plane fails to enforce hashed API key requirements. Despite administrators enabling enforce_hashed_api_keys to mandate secure key handling at the organizational level, the system still accepts plaintext API keys through the capgkey header. This vulnerability allows attackers to circumvent cryptographic protections designed to prevent key exposure, directly accessing protected resources and sensitive data. Organizations using Capgo for database access control are affected, particularly those relying on the hashed-key enforcement mechanism as part of their authentication strategy.

While this CVE doesn't map to specific MITRE ATT&CK techniques, Casky's security skills would identify attack patterns associated with Credential Access (T1110 - Brute Force, T1187 - Forced Authentication) and Lateral Movement (T1550 - Use Alternate Authentication Material). Practitioners reviewing Casky findings would observe unusual plaintext API key submissions to PostgREST endpoints, authentication bypass attempts that skip expected hashing validation layers, and successful resource access using credentials that should have been rejected by security controls. Extended reasoning across Casky's 754 mapped skills would flag the discrepancy between configured security policies (enforce_hashed_api_keys enabled) and actual enforcement behavior, highlighting the control bypass as a critical gap requiring immediate patching to version 12.128.2 or later.