What is GHSA-7hf5-4jq6-894f?

GHSA-7hf5-4jq6-894f is a security advisory published by GitHub Security Advisories with High severity. Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST...

Which CVE IDs does GHSA-7hf5-4jq6-894f cover?

GHSA-7hf5-4jq6-894f covers the following CVE IDs: CVE-2026-56079. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-7hf5-4jq6-894f?

GHSA-7hf5-4jq6-894f has a CVSS v3 base score of 6.5, published by GitHub Security Advisories.

GHSA-7hf5-4jq6-894fHighCVSS 6.5

Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST...

Vendor

GitHub Security Advisories

Published

June 20, 2026

Last Modified

June 20, 2026

🔗 CVE IDs covered (1)

CVE-2026-56079 →

📋 Description

Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs. Attackers can query the webhooks and webhook_deliveries endpoints to exfiltrate HMAC signing secrets and delivery payloads, enabling forged webhook events against victim organizations.

🔗 References (4)

https://github.com/Cap-go/capgo/security/advisories/GHSA-hj3h-v877-g5rx
https://nvd.nist.gov/vuln/detail/CVE-2026-56079
https://www.vulncheck.com/advisories/capgo-cross-tenant-authorization-bypass-via-postgrest-webhook-access
https://github.com/advisories/GHSA-7hf5-4jq6-894f