VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 19, 2026· Updated Jun 20, 2026

Capgo - Unauthenticated Cross-Tenant Billing Log Tampering via public.record_build_time RPC

CVE-2026-56082

Description

Capgo (Cap-go/capgo) before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST RPC function public.record_build_time, which is granted to the anon role and callable with only the public Supabase publishable (sb_publishable_*) anon key. An unauthenticated attacker can insert rows into public.build_logs for arbitrary organizations and, because the function uses ON CONFLICT (build_id, org_id) DO UPDATE, can overwrite existing usage/billing records by reusing the same build_id for a target org. This enables cross-tenant tampering of billing build logs and financial-impact denial of service by inflating billable build time.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"Missing authorization guard on the SECURITY DEFINER PostgREST RPC function `public.record_build_time`, which is granted to the public `anon` role."

Attack vector

An unauthenticated attacker with only the public Supabase anon key and the Supabase project URL can call `public.record_build_time` via the PostgREST REST endpoint. By providing a valid target `org_id` and `user_id` UUID, the attacker inserts a build log entry. Reusing the same `build_id` and `org_id` overwrites the existing record, enabling tampering of billing fields such as `billable_seconds`. [ref_id=1]

Affected code

The PostgREST RPC function `public.record_build_time` is granted to the `anon` role and callable via the public `sb_publishable_*` anon key. It performs `INSERT INTO public.build_logs ... ON CONFLICT (build_id, org_id) DO UPDATE`, allowing unauthenticated callers to create or overwrite rows in `public.build_logs` for any organization. [ref_id=1]

What the fix does

The patch (version 12.128.2) is not shown in the bundle, but the advisory states the fixed version is 12.128.2. The fix likely restricts the `anon` role's grant to `public.record_build_time` or adds row-level security, so that only authenticated, authorized callers can insert or update records for their own organization. [ref_id=1]

Preconditions

  • inputPublic Supabase anon key (sb_publishable_*) and Supabase project URL must be obtainable
  • inputValid org UUID and user UUID (from any target organization) are needed

Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.