CVE-2026-56245

Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record build time RPC function that allows unauthenticated attackers to insert arbitrary build-time records. Attackers can exploit this by calling POST /rest/v1/rpc/record build time with a public API key to poison billing and quota data for any organization, enabling resource exhaustion and cross-tenant billing manipulation.