CRITICALCWE-284Database Security
Supabase RLS Misconfiguration
Description
Row Level Security (RLS) is disabled on Supabase tables, allowing unauthenticated users to read, insert, update, or delete data directly via the public anon key.
How Vezraa Detects It
We probe your Supabase API endpoint with the public anon key and attempt to list tables/rows without authentication headers.
Real-World Impact
Complete data exposure. Attackers can exfiltrate user PII, payment records, and internal data — no auth required.
Fix Example
-- Enable RLS ALTER TABLE users ENABLE ROW LEVEL SECURITY; -- Create policy CREATE POLICY "users_own_data" ON users USING (auth.uid() = id);
Affected Stacks
SupabasePostgreSQLNext.js