Compliance Impact

The vulnerability allows unauthorized users to manipulate sensitive billing data for arbitrary organizations, including unauthorized credit depletion and fraudulent billing events.

Such unauthorized access and manipulation of billing data could lead to violations of data protection and financial integrity requirements found in common standards and regulations like GDPR and HIPAA, which mandate strict access controls and data integrity safeguards.

Because the function bypasses internal authorization checks and Row Level Security, it undermines the enforcement of proper access controls, potentially exposing organizations to compliance risks related to unauthorized data access and financial fraud.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-56239 is a privilege escalation vulnerability in Capgo versions before 12.128.2. It exists in the public.apply_usage_overage SECURITY DEFINER function, which performs sensitive billing operations without proper authorization checks.

This function runs with the privileges of its owner, bypassing Row Level Security protections. It does not validate the user's identity, organization membership, or minimum rights before executing billing operations.

If EXECUTE permission is granted to authenticated or anonymous roles, an attacker with valid credentials could invoke this function via Supabase RPC to manipulate billing data for any organization, including unauthorized credit depletion and fraudulent billing event insertion.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized manipulation of billing data for arbitrary organizations.

• Attackers could deplete credits without authorization.
• Fraudulent overage events could be inserted, causing financial damage.
• It allows privilege escalation by bypassing Row Level Security, potentially compromising sensitive billing operations.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if the public.apply_usage_overage SECURITY DEFINER function exists and whether EXECUTE permissions are granted to the authenticated or anon roles. Since the function can be invoked via Supabase RPC, monitoring RPC calls to this function for unusual or unauthorized usage can help detect exploitation attempts.

You can run SQL queries to inspect permissions and function definitions, for example:

• Check if the function exists: SELECT proname FROM pg_proc WHERE proname = 'apply_usage_overage';
• Check EXECUTE privileges on the function: SELECT grantee FROM information_schema.role_routine_grants WHERE routine_name = 'apply_usage_overage' AND privilege_type = 'EXECUTE';
• Audit Supabase RPC logs for calls to apply_usage_overage from authenticated or anon roles.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Capgo to version 12.128.2 or later, where the vulnerability has been patched.

If upgrading is not immediately possible, restrict EXECUTE permissions on the public.apply_usage_overage function to trusted roles only, removing EXECUTE privileges from authenticated and anon roles.

Additionally, review and tighten Supabase RPC permissions to prevent unauthorized invocation of this function.

Useful 0 Not Useful 0