CVE-2026-56245
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function that allows unauthenticated attackers to insert arbitrary build-time records. Attackers can exploit this by calling POST /rest/v1/rpc/record_build_time with a public API key.
Risk Assessment
This vulnerability allows attackers to manipulate billing and quota data for any organization, potentially leading to resource exhaustion and cross-tenant billing manipulation.
Recommendation
It is recommended to update Supabase Capgo to version 12.128.2 or later and to monitor access to the RPC function for unauthorized attempts.
Original NVD description (English source)
Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function that allows unauthenticated attackers to insert arbitrary build-time records. Attackers can exploit this by calling POST /rest/v1/rpc/record_build_time with a public API key to poison billing and quota data for any organization, enabling resource exhaustion and cross-tenant billing manipulation.

