CVE-2026-56245: Improper Privilege Management in Cap-go capgo
Supabase Capgo before version 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function. This flaw allows unauthenticated attackers to insert arbitrary build-time records by calling the POST /rest/v1/rpc/record_build_time endpoint with a public API key. Exploitation can lead to poisoning of billing and quota data across organizations, enabling resource exhaustion and cross-tenant billing manipulation.
AI Analysis
Technical Summary
CVE-2026-56245 is an authorization bypass vulnerability in Supabase Capgo's SECURITY DEFINER record_build_time RPC function affecting versions prior to 12.128.2. The vulnerability permits unauthenticated attackers to invoke the record_build_time RPC via a public API key to insert arbitrary build-time records. This can corrupt billing and quota data for any organization, potentially causing resource exhaustion and manipulation of billing across tenants. The CVSS 4.0 score is 8.8, reflecting high severity with network attack vector, no privileges or user interaction required, but high impact on integrity and low impact on availability and confidentiality.
Potential Impact
Successful exploitation allows unauthenticated attackers to bypass authorization controls and insert arbitrary build-time records, leading to poisoning of billing and quota data. This can cause resource exhaustion and enable attackers to manipulate billing across different tenants, potentially resulting in financial and operational impacts for affected organizations.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary mitigation has been documented at this time. Until a patch is available, restrict access to the affected RPC endpoint if possible and monitor for unusual activity related to billing and quota data manipulation.
CVE-2026-56245: Improper Privilege Management in Cap-go capgo
Description
Supabase Capgo before version 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function. This flaw allows unauthenticated attackers to insert arbitrary build-time records by calling the POST /rest/v1/rpc/record_build_time endpoint with a public API key. Exploitation can lead to poisoning of billing and quota data across organizations, enabling resource exhaustion and cross-tenant billing manipulation.
CVSS v4.0
Score 8.8high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-56245 is an authorization bypass vulnerability in Supabase Capgo's SECURITY DEFINER record_build_time RPC function affecting versions prior to 12.128.2. The vulnerability permits unauthenticated attackers to invoke the record_build_time RPC via a public API key to insert arbitrary build-time records. This can corrupt billing and quota data for any organization, potentially causing resource exhaustion and manipulation of billing across tenants. The CVSS 4.0 score is 8.8, reflecting high severity with network attack vector, no privileges or user interaction required, but high impact on integrity and low impact on availability and confidentiality.
Potential Impact
Successful exploitation allows unauthenticated attackers to bypass authorization controls and insert arbitrary build-time records, leading to poisoning of billing and quota data. This can cause resource exhaustion and enable attackers to manipulate billing across different tenants, potentially resulting in financial and operational impacts for affected organizations.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary mitigation has been documented at this time. Until a patch is available, restrict access to the affected RPC endpoint if possible and monitor for unusual activity related to billing and quota data manipulation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-06-19T21:53:16.001Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3bc8faeed863c81ecab8d5
Added to database: 06/24/2026, 12:09:30 UTC
Last enriched: 06/24/2026, 12:24:06 UTC
Last updated: 06/24/2026, 12:44:49 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.