Improper Access Control Vulnerability in Capgo Product Affecting Supabase
CVE-2026-56082

8.7HIGH

Key Information:

Vendor: Cap-go
Status: Capgo
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-56082?

Capgo prior to version 12.128.2 has a vulnerability in the SECURITY DEFINER PostgREST RPC function named public.record_build_time. This function, which is accessible with only the public Supabase publishable anon key, grants the anon role the ability to insert rows into the public.build_logs. An unauthenticated attacker can exploit this flaw to tamper with billing records of arbitrary organizations by reusing existing build IDs, leading to significant implications for billing accuracy and potential financial losses through inflated build time logging.

Affected Version(s)

capgo 0 < 12.128.2

capgo 12.128.2

References

https://github.com/Cap-go/capgo/security/advisories/GHSA-...

vendor-advisory

https://www.vulncheck.com/advisories/supabase-unauthentic...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
Jun 18, 2026

Credit

Judel777

CVE-2026-56082 Data

JSON