CVE Catalog

CVE-2026-56082

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

Capgo before version 12.128.2 contains an improper access control vulnerability in the PostgREST RPC function public.record_build_time, which is accessible to the anon role and callable with the public anon key. An unauthenticated attacker can insert rows into public.build_logs for arbitrary organizations, allowing them to modify existing usage/billing records.

Risk Assessment

This vulnerability allows attackers to tamper with billing logs across different organizations, potentially leading to unauthorized access to financial data and inflated build costs.

Recommendation

It is recommended to update Capgo to version 12.128.2 or later and to review and restrict access to the public.record_build_time function to prevent unauthorized operations.

Original NVD description (English source)

Capgo (Cap-go/capgo) before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST RPC function public.record_build_time, which is granted to the anon role and callable with only the public Supabase publishable (sb_publishable_*) anon key. An unauthenticated attacker can insert rows into public.build_logs for arbitrary organizations and, because the function uses ON CONFLICT (build_id, org_id) DO UPDATE, can overwrite existing usage/billing records by reusing the same build_id for a target org. This enables cross-tenant tampering of billing build logs and financial-impact denial of service by inflating billable build time.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS