Description
Capgo before 12.128.2 contains a potential privilege escalation vulnerability in the public.apply_usage_overage SECURITY DEFINER function, which performs sensitive billing operations without enforcing internal authorization checks (no validation of auth.uid(), org membership, or check_min_rights). Because the function runs with the owner's privileges, it bypasses Row Level Security. If EXECUTE permission is available to the authenticated or anon roles (explicitly or via default privileges), an authenticated user could invoke it via Supabase RPC to manipulate billing data for arbitrary organizations, including unauthorized credit depletion and fraudulent overage event insertion.
Published: 2026-06-21
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A privilege escalation flaw exists in the Capgo public.apply_usage_overage function, which is declared with SECURITY DEFINER. Because the function runs with the owner's privileges and contains no authentication checks—such as validating auth.uid(), organization membership, or minimum rights—an attacker able to execute the function can alter billing records for any organization. The compromise includes unauthorized credit deduction and the insertion of fraudulent usage overage events, directly affecting financial data integrity and potentially leading to revenue loss.

Affected Systems

The vulnerability is present in Capgo installations prior to version 12.128.2. Users deploying Capgo without this version could be using the superseded public.apply_usage_overage RPC function, typically accessed via Supabase."

Risk and Exploitability

The CVSS base score of 7.2 classifies the issue as a high‑severity vulnerability, though the EPSS score is not disclosed and it is not listed in the CISA KEV catalog. An attacker can exploit the flaw by invoking the function through Supabase RPC, provided the user role has EXECUTE permission. The function bypasses row‑level security, so the privilege escalation would be effective even for users with limited permissions if such privileges are granted to the role. Given the potential for financial damage, the risk warrants immediate mitigation.

Generated by OpenCVE AI on June 21, 2026 at 16:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later where the apply_usage_overage function is secured with proper authorization checks.
  • Revoke or restrict EXECUTE privileges on the public.apply_usage_overage function so that only trusted administrative roles retain execution rights.
  • If the function is not required for operational purposes, drop or replace it with a controlled process that enforces explicit authorization checks.

Generated by OpenCVE AI on June 21, 2026 at 16:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Cap-go
Cap-go cap-go
Vendors & Products Cap-go
Cap-go cap-go

Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains a potential privilege escalation vulnerability in the public.apply_usage_overage SECURITY DEFINER function, which performs sensitive billing operations without enforcing internal authorization checks (no validation of auth.uid(), org membership, or check_min_rights). Because the function runs with the owner's privileges, it bypasses Row Level Security. If EXECUTE permission is available to the authenticated or anon roles (explicitly or via default privileges), an authenticated user could invoke it via Supabase RPC to manipulate billing data for arbitrary organizations, including unauthorized credit depletion and fraudulent overage event insertion.
Title Capgo - Privilege Escalation via SECURITY DEFINER Function apply_usage_overage
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T15:38:16.813Z

Reserved: 2026-06-19T21:50:06.625Z

Link: CVE-2026-56239

cve-icon Vulnrichment

Updated: 2026-06-24T15:37:36.389Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:08:32Z

Weaknesses
  • CWE-269

    Improper Privilege Management