Capgo - Privilege Escalation via SECURITY DEFINER Function apply_usage_overage
Description
Capgo before 12.128.2 contains a potential privilege escalation vulnerability in the public.apply_usage_overage SECURITY DEFINER function, which performs sensitive billing operations without enforcing internal authorization checks (no validation of auth.uid(), org membership, or check_min_rights). Because the function runs with the owner's privileges, it bypasses Row Level Security. If EXECUTE permission is available to the authenticated or anon roles (explicitly or via default privileges), an authenticated user could invoke it via Supabase RPC to manipulate billing data for arbitrary organizations, including unauthorized credit depletion and fraudulent overage event insertion.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
Root cause
"SECURITY DEFINER function apply_usage_overage performs billing operations without validating the caller's authorization or organization membership."
Attack vector
An attacker with a valid authenticated JWT can call `POST /rest/v1/rpc/apply_usage_overage` with an arbitrary `p_org_id` to manipulate billing data for any organization [ref_id=1]. The function accepts a user-supplied organization identifier and proceeds directly to insert and update billing tables without any authorization check [ref_id=1]. If the `authenticated` or `anon` roles have EXECUTE permission (either explicitly or via default privileges), the function is reachable via Supabase RPC [ref_id=1]. This could allow unauthorized credit depletion, fraudulent overage event insertion, and other billing manipulation [ref_id=1].
Affected code
The function `public.apply_usage_overage` in `supabase/migrations/20251021141631_add_usage_credit_system.sql` (lines 215–398) is defined as `SECURITY DEFINER` and performs billing operations without validating `auth.uid()`, checking `public.org_users` membership, or calling `public.check_min_rights`. Because it runs with owner privileges, it bypasses Row Level Security on `usage_overage_events` and `usage_credit_grants`.
What the fix does
The advisory does not include a published patch, but the recommended fix is to add internal authorization checks inside the function — validating `auth.uid()`, verifying membership in `public.org_users`, and calling `public.check_min_rights` before performing any billing operations [ref_id=1]. Additionally, the function's EXECUTE privilege should be explicitly revoked from `public`, `anon`, and `authenticated` roles, or the function should be moved to a schema not exposed via the REST API [ref_id=1]. Without these changes, the SECURITY DEFINER function continues to bypass Row Level Security and trust user-supplied organization identifiers.
Preconditions
- authValid authenticated JWT token
- inputKnown org_id of another organization
- configEXECUTE permission on the function must be available to the authenticated or anon roles (explicitly or via default privileges)
Reproduction
POST /rest/v1/rpc/apply_usage_overage Authorization: Bearer <valid_user_jwt> Content-Type: application/json
{ "p_org_id": "<target_org_uuid>", "p_metric": "bandwidth", "p_overage_amount": 1000000, "p_billing_cycle_start": "2026-01-01", "p_billing_cycle_end": "2026-02-01" }
If executable, the function returns HTTP 200, inserts a record into `usage_overage_events`, and modifies the billing/credit state of the target organization [ref_id=1].
Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/Cap-go/capgo/security/advisories/GHSA-qq85-vjrq-m75gmitrevendor-advisory
- www.vulncheck.com/advisories/capgo-privilege-escalation-via-security-definer-function-apply-usage-overagemitrethird-party-advisory
News mentions
0No linked articles in our index yet.