Capgo (Cap-go/capgo) before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST SECURITY DEFINER RPC function public.rescind_invitation that allows unauthenticated attackers to enumerate organization existence. The function returns distinct error messages (NO_ORG vs NO_RIGHTS) when called with only a publishable API key, enabling attackers to discover valid organization IDs and increase the attack surface for targeted phishing or social engineering campaigns.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-56339 is an information disclosure vulnerability in Capgo's Supabase PostgREST SECURITY DEFINER RPC function that leaks organization existence through error message differentiation. When unauthenticated attackers call the public.rescind_invitation function with only a publishable API key, the system returns distinct error messages—"NO_ORG" versus "NO_RIGHTS"—that reveal whether an organization ID is valid. This seemingly minor distinction is a critical information leak: attackers can systematically enumerate valid organization identifiers and build target lists for downstream attacks like phishing, account takeover, or social engineering campaigns. Organizations using Capgo before version 12.128.2 are affected, particularly those handling multi-tenant SaaS environments where organization enumeration significantly expands the attack surface.
While this CVE maps to CWE-203 (Observable Discrepancy) rather than specific MITRE ATT&CK techniques, Casky's Claude-powered security skills would detect the reconnaissance patterns underlying this attack. A practitioner would observe behavior consistent with T1598 (Phishing) and T1589 (Gather Victim Identity Information) preparation phases—systematic API calls probing for valid organization identifiers, unusual patterns of 401/403 response code distributions, and clustering of requests with similar API keys but varying organization parameters. Casky's extended reasoning capabilities would flag the semantic significance of error message variance as a reconnaissance indicator, correlating API query patterns with known social engineering preparation tactics. The platform would surface these findings as early-stage reconnaissance activity, enabling defenders to implement rate limiting, disable public RPC functions, or require authentication before organization validation occurs.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-56339. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation