Capgo (Cap-go/capgo) before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST RPC function public.recordbuildtime, which is granted to the anon role and callable with only the public Supabase publishable (sbpublishable*) anon key. An unauthenticated attacker can insert rows into public.buildlogs for arbitrary organizations and, because the function uses ON CONFLICT (buildid, orgid) DO UPDATE, can overwrite existing usage/billing records by reusing the same buildid for a target org. This enables cross-tenant tampering of billing build logs and financial-impact denial of service by inflating billable build time.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56082.json",
"cna_assigner": "VulnCheck",
"cwe_ids": [
"CWE-284"
]
}