CVE-2026-56082: Improper Access Control in Cap-go capgo
Capgo (Cap-go/capgo) before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST RPC function public.record_build_time, which is granted to the anon role and callable with only the public Supabase publishable (sb_publishable_*) anon key. An unauthenticated attacker can insert rows into public.build_logs for arbitrary organizations and, because the function uses ON CONFLICT (build_id, org_id) DO UPDATE, can overwrite existing usage/billing records by reusing the same build_id for a target org. This enables cross-tenant tampering of billing build logs and financial-impact denial of service by inflating billable build time.
AI Analysis
Technical Summary
The vulnerability in Capgo (Cap-go/capgo) prior to 12.128.2 involves improper access control in the SECURITY DEFINER PostgREST RPC function public.record_build_time. This function is granted to the anon role and can be invoked using only the public Supabase publishable anon key (sb_publishable_*). An unauthenticated attacker can exploit this to insert rows into the public.build_logs table for arbitrary organizations. Due to the function's use of ON CONFLICT (build_id, org_id) DO UPDATE, attackers can overwrite existing usage and billing records by reusing the same build_id for a targeted organization. This leads to cross-tenant tampering of billing data and can cause financial-impact denial of service by inflating billable build time.
Potential Impact
An unauthenticated attacker can manipulate billing and usage records across tenants by inserting or overwriting entries in the build_logs table. This can result in incorrect billing data, financial impact due to inflated billable build time, and denial of service conditions related to billing integrity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the public.record_build_time function and the anon role permissions to prevent unauthenticated invocation. Monitor for unusual activity related to build_logs entries. Avoid using the public Supabase publishable anon key for sensitive operations.
CVE-2026-56082: Improper Access Control in Cap-go capgo
Description
Capgo (Cap-go/capgo) before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST RPC function public.record_build_time, which is granted to the anon role and callable with only the public Supabase publishable (sb_publishable_*) anon key. An unauthenticated attacker can insert rows into public.build_logs for arbitrary organizations and, because the function uses ON CONFLICT (build_id, org_id) DO UPDATE, can overwrite existing usage/billing records by reusing the same build_id for a target org. This enables cross-tenant tampering of billing build logs and financial-impact denial of service by inflating billable build time.
CVSS v4.0
Score 8.7high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Capgo (Cap-go/capgo) prior to 12.128.2 involves improper access control in the SECURITY DEFINER PostgREST RPC function public.record_build_time. This function is granted to the anon role and can be invoked using only the public Supabase publishable anon key (sb_publishable_*). An unauthenticated attacker can exploit this to insert rows into the public.build_logs table for arbitrary organizations. Due to the function's use of ON CONFLICT (build_id, org_id) DO UPDATE, attackers can overwrite existing usage and billing records by reusing the same build_id for a targeted organization. This leads to cross-tenant tampering of billing data and can cause financial-impact denial of service by inflating billable build time.
Potential Impact
An unauthenticated attacker can manipulate billing and usage records across tenants by inserting or overwriting entries in the build_logs table. This can result in incorrect billing data, financial impact due to inflated billable build time, and denial of service conditions related to billing integrity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the public.record_build_time function and the anon role permissions to prevent unauthenticated invocation. Monitor for unusual activity related to build_logs entries. Avoid using the public Supabase publishable anon key for sensitive operations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-06-18T15:57:20.434Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a35be95daaa79a87d39ec70
Added to database: 6/19/2026, 10:11:33 PM
Last enriched: 6/19/2026, 10:26:26 PM
Last updated: 6/19/2026, 11:16:48 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.