Compliance Impact

The vulnerability allows unauthenticated attackers to manipulate billing and quota data across different tenants by exploiting an authorization bypass in the record_build_time RPC function.

This manipulation can lead to resource exhaustion and cross-tenant billing fraud, which may result in unauthorized access to or alteration of organizational data.

Such unauthorized data manipulation and potential cross-tenant impact could violate compliance requirements related to data integrity, access control, and tenant isolation found in standards like GDPR and HIPAA.

Specifically, the lack of proper authorization checks and privilege management may lead to breaches of confidentiality and accountability principles mandated by these regulations.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-56245 is a critical authorization bypass vulnerability in Supabase Capgo versions before 12.128.2. It affects the SECURITY DEFINER RPC function called record_build_time, which allows unauthenticated attackers to insert or update arbitrary build-time records.

Because the function is granted to anonymous users and lacks proper authorization checks, attackers can call the POST /rest/v1/rpc/record_build_time endpoint using only a public API key to manipulate build-time accounting data for any organization.

This means attackers can poison billing and quota data across different tenants, potentially causing resource exhaustion and cross-tenant billing manipulation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several serious impacts:

• Attackers can inflate build-time usage for victim organizations, leading to incorrect billing charges.
• Quota enforcement can be bypassed or manipulated, potentially allowing excessive resource consumption.
• Resource exhaustion may occur due to excessive log growth caused by malicious record insertions.
• Cross-tenant billing manipulation can affect multiple organizations, causing financial and operational disruption.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring calls to the RPC function `record_build_time` on the endpoint POST /rest/v1/rpc/record_build_time using a public API key. Unusual or unauthorized insertions or updates to the `public.build_logs` table, especially from anonymous or unauthenticated sources, may indicate exploitation attempts.

You can detect potential exploitation by checking logs for POST requests to /rest/v1/rpc/record_build_time and verifying if they are made with a public API key without proper authorization.

• Use network monitoring tools or web server logs to filter for POST requests to /rest/v1/rpc/record_build_time.
• Query the database for recent inserts or updates in the `public.build_logs` table that do not correspond to legitimate build activities.
• Example SQL command to check suspicious entries: SELECT * FROM public.build_logs WHERE timestamp > NOW() - INTERVAL '1 day' ORDER BY timestamp DESC;
• Example command to check web server logs (assuming access logs in Apache format): grep 'POST /rest/v1/rpc/record_build_time' /var/log/nginx/access.log

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include revoking anonymous or public access to the `record_build_time` RPC function to prevent unauthenticated calls.

Implement proper authorization checks within the `record_build_time` function to ensure only authenticated and authorized users can insert or update build-time records.

Apply rate limiting on the RPC endpoint to reduce the risk of resource exhaustion from excessive or malicious requests.

Upgrade Supabase Capgo to version 12.128.2 or later, where this vulnerability has been patched.

Useful 0 Not Useful 0