Description
Capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST global_stats endpoint that allows unauthenticated attackers to read sensitive financial and operational metrics using only the public apikey. Remote attackers can query the /rest/v1/global_stats endpoint to expose MRR, total revenue, plan-tier revenue breakdown, customer counts, and operational telemetry.
Problem types
Exposure of Sensitive Information to an Unauthorized Actor
Product status
Any version before 12.128.2
12.128.2 (semver)
Credits
Judel777
References
github.com/.../capgo/security/advisories/GHSA-73rv-fpp7-r3r4
github.com/.../capgo/security/advisories/GHSA-73rv-fpp7-r3r4 (GitHub Security Advisory (GHSA-73rv-fpp7-r3r4))
www.vulncheck.com/...ure-via-postgrest-global-stats-endpoint (VulnCheck Advisory: Capgo - Unauthenticated Information Disclosure via PostgREST global_stats Endpoint)