Description
Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function that allows unauthenticated attackers to insert arbitrary build-time records. Attackers can exploit this by calling POST /rest/v1/rpc/record_build_time with a public API key to poison billing and quota data for any organization, enabling resource exhaustion and cross-tenant billing manipulation.
Published: 2026-06-24
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Supabase Capgo implementations prior to version 12.128.2 expose a security-definer RPC function, record_build_time, which can be called with a public API key. This permits an unauthenticated attacker to insert arbitrary build-time records. The injected records corrupt billing and quota data for any organization, effectively siphoning resources and manipulating cross‑tenant accounting. The underlying weakness is a privilege‑escalation flaw (CWE‑269) that allows code authored with elevated rights to be executed by an unauthenticated caller.

Affected Systems

The vulnerability affects Cap‑go Capgo deployments running any release before 12.128.2. Only versions earlier than 12.128.2 are susceptible; later releases have patched the RPC function to enforce proper authorization.

Risk and Exploitability

With a CVSS score of 8.8, this issue is classified as high severity. The EPSS score is not available, and the vulnerability has not been listed in the CISA KEV catalog, indicating no known active exploits at the time of this analysis. Attackers can exploit the flaw by issuing a POST request to /rest/v1/rpc/record_build_time using a public API key, thereby bypassing authentication and inserting malicious accounting records across tenant boundaries.

Generated by OpenCVE AI on June 24, 2026 at 13:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Capgo version 12.128.2 or later, where the record_build_time RPC is restricted to authenticated users only.
  • If an upgrade is not yet feasible, disable or remove the record_build_time endpoint, or configure the service to reject calls that do not present a valid internal authentication token.
  • Deploy monitoring on record creation events and audit billing and quota data for anomalous patterns, ensuring that any unauthorized entries are quickly identified and corrected.

Generated by OpenCVE AI on June 24, 2026 at 13:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Cap-go
Cap-go cap-go
Vendors & Products Cap-go
Cap-go cap-go

Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function that allows unauthenticated attackers to insert arbitrary build-time records. Attackers can exploit this by calling POST /rest/v1/rpc/record_build_time with a public API key to poison billing and quota data for any organization, enabling resource exhaustion and cross-tenant billing manipulation.
Title Supabase Capgo - Unauthenticated Cross-Tenant Build-Time Accounting Poisoning via record_build_time RPC
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Cap-go Cap-go
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T15:51:59.649Z

Reserved: 2026-06-19T21:53:16.001Z

Link: CVE-2026-56245

cve-icon Vulnrichment

Updated: 2026-06-24T15:51:49.621Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:45:06Z

Weaknesses
  • CWE-269

    Improper Privilege Management