Capgo (Cap‑go/Capgo) before 12.128.2 implements an insecure PostgREST RPC function, public.record_build_time, that is granted to the anon role and can be invoked with only a public Supabase publishable key. The function allows an unauthenticated attacker to insert rows into the public.build_logs table for any organization, and because the statement uses ON CONFLICT (build_id, org_id) DO UPDATE, the attacker can overwrite existing usage and billing records by reusing a build_id for a target organization. The result is cross‑tenant tampering of billing data with the potential to inflate billable build time, creating a financial‑impact denial of service scenario. The vulnerability is a classic improper access control flaw (CWE‑284).

The affected product is Capgo (Cap‑go/Capgo) running any version prior to 12.128.2. The vulnerability resides in the public.record_build_time RPC, accessible through the anon role via the Supabase publishable sb_publishable_* key. Deployments that use Capgo’s RPC in a Supabase environment and have not upgraded past 12.128.2 are exposed.

The CVSS score of 8.7 marks this issue as high severity. While an EPSS score is not available, the lack of authentication and the direct ability to write and overwrite billing log entries make exploitation straightforward once the RPC is reachable. The vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit the flaw by sending an unauthenticated RPC request to public.record_build_time, supplying arbitrary organization identifiers and build IDs to influence the financial records of other tenants.