HIGHVulnerability
Verified
Global
NVD HIGH: CVE-2026-56245 — Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in...
·Source: NIST NVD
Updated:
Executive Summary
Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function that allows unauthenticated attackers to insert arbitrary build-time records. Attackers can exploit this by calling POST /rest/v1/rpc/record_build_time with a public API key to poison billing and quota data for any organization, enabling resource exhaustion and cross
Analysis
Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function that allows unauthenticated attackers to insert arbitrary build-time records. Attackers can exploit this by calling POST /rest/v1/rpc/record_build_time with a public API key to poison billing and quota data for any organization, enabling resource exhaustion and cross-tenant billing manipulation. CVSS Score: 8.2. Published: 2026-06-24T13:16:34.820.