CVE Catalog

CVE-2026-56245

HighCVSS 8.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile — higher than 18% of all known CVEs

Summary

Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function that allows unauthenticated attackers to insert arbitrary build-time records. Attackers can exploit this by calling POST /rest/v1/rpc/record_build_time with a public API key.

Risk Assessment

This vulnerability allows attackers to manipulate billing and quota data for any organization, potentially leading to resource exhaustion and cross-tenant billing manipulation.

Recommendation

It is recommended to update Supabase Capgo to version 12.128.2 or later and to monitor access to the RPC function for unauthorized attempts.

Original NVD description (English source)

Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function that allows unauthenticated attackers to insert arbitrary build-time records. Attackers can exploit this by calling POST /rest/v1/rpc/record_build_time with a public API key to poison billing and quota data for any organization, enabling resource exhaustion and cross-tenant billing manipulation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS