CVE-2026-56082

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2

Description Improper access control exists in the SECURITY DEFINER PostgREST RPC function public.record build time(). This function is granted to the anon role and can be called using only the public Supabase publishable sb publishable * anon key. An unauthenticated attacker can insert rows into public.build logs for arbitrary organizations. Since the function utilizes ON CONFLICT (build id, org id) DO UPDATE, an attacker can overwrite existing usage and billing records by reusing the same build id for a target organization. This allows for cross-tenant tampering of billing build logs and a financial-impact denial of service by inflating billable build time.

Recommendations Update to version 12.128.2 or later.