CVE-2026-56082

Capgo (Cap-go/capgo) before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST RPC function public.record build time, which is granted to the anon role and callable with only the public Supabase publishable (sb publishable *) anon key. An unauthenticated attacker can insert rows into public.build logs for arbitrary organizations and, because the function uses ON CONFLICT (build id, org id) DO UPDATE, can overwrite existing usage/billing records by reusing the same build id for a target org. This enables cross-tenant tampering of billing build logs and financial-impact denial of service by inflating billable build time.