HIGHVulnerability
Verified
Global

NVD HIGH: CVE-2026-56245 — Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in...

·Source: NIST NVD

Updated:

Executive Summary

Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function that allows unauthenticated attackers to insert arbitrary build-time records. Attackers can exploit this by calling POST /rest/v1/rpc/record_build_time with a public API key to poison billing and quota data for any organization, enabling resource exhaustion and cross

Analysis

Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function that allows unauthenticated attackers to insert arbitrary build-time records. Attackers can exploit this by calling POST /rest/v1/rpc/record_build_time with a public API key to poison billing and quota data for any organization, enabling resource exhaustion and cross-tenant billing manipulation. CVSS Score: 8.2. Published: 2026-06-24T13:16:34.820.

Indicators of Compromise (1)

CVE (1)
CVE-2026-56245
Source Attribution

Originally published by NIST NVD on Jun 24, 2026. Verified by: NIST.

Related Threats