Skip to content
← Back to Vulnerability Database
CRITICALCWE-284Database Security

Supabase RLS Misconfiguration

Description

Row Level Security (RLS) is disabled on Supabase tables, allowing unauthenticated users to read, insert, update, or delete data directly via the public anon key.

How Vezraa Detects It

We probe your Supabase API endpoint with the public anon key and attempt to list tables/rows without authentication headers.

Real-World Impact

Complete data exposure. Attackers can exfiltrate user PII, payment records, and internal data — no auth required.

Fix Example

-- Enable RLS
ALTER TABLE users ENABLE ROW LEVEL SECURITY;

-- Create policy
CREATE POLICY "users_own_data" ON users
  USING (auth.uid() = id);

Affected Stacks

SupabasePostgreSQLNext.js

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

Supabase RLS Misconfiguration — Vulnerability Database | Vezraa