Impact
A privilege escalation flaw exists in the Capgo public.apply_usage_overage function, which is declared with SECURITY DEFINER. Because the function runs with the owner's privileges and contains no authentication checks—such as validating auth.uid(), organization membership, or minimum rights—an attacker able to execute the function can alter billing records for any organization. The compromise includes unauthorized credit deduction and the insertion of fraudulent usage overage events, directly affecting financial data integrity and potentially leading to revenue loss.
Affected Systems
The vulnerability is present in Capgo installations prior to version 12.128.2. Users deploying Capgo without this version could be using the superseded public.apply_usage_overage RPC function, typically accessed via Supabase."
Risk and Exploitability
The CVSS base score of 7.2 classifies the issue as a high‑severity vulnerability, though the EPSS score is not disclosed and it is not listed in the CISA KEV catalog. An attacker can exploit the flaw by invoking the function through Supabase RPC, provided the user role has EXECUTE permission. The function bypasses row‑level security, so the privilege escalation would be effective even for users with limited permissions if such privileges are granted to the role. Given the potential for financial damage, the risk warrants immediate mitigation.
OpenCVE Enrichment