CRITICAL SECURITY ISSUE - URGENT SUPABASE TEAM ATTENTION NEEDED
I reported a critical RLS bypass vulnerability via email 2 days ago but haven't received any response. This is affecting production systems and needs immediate attention.
Issue Summary:
The supabase_read_only_user system role has pg_read_all_data membership
This completely bypasses ALL Row Level Security policies
Customer PII, admin credentials, and sensitive data are accessible despite proper RLS implementation
Cannot be fixed client-side as it's a reserved system role
Impact:
Complete RLS policy bypass on all tables
GDPR/CCPA compliance violations
Customer data exposure risk
Technical Evidence:
-- Role has BYPASSRLS privilege
SELECT rolname, rolbypassrls FROM pg_roles WHERE rolname = 'supabase_read_only_user';
-- Result: rolbypassrls = true
Attempted Fix Failed:
ERROR: 42501: "supabase_read_only_user" is a reserved role, only superusers can modify it
This requires Supabase infrastructure team intervention to modify the system role permissions.
Original Report: Sent via email 2 days ago with full technical details and project ID.
Can someone from the team please escalate this? Happy to provide additional details privately.
10 Replies
This is a user helping user site and not monitored regularly by Supabase. Support is the correct contact.
I'm not sure though why this role not obeying RLS is critical as it is not used by the clients at all. Only authenticted, anon and service_role are API roles.
*not monitored
Yes
This or email?
Email or troubleshooting tab support contact.
What's the best escalation channel for reporting critical vulns?
Support.
2 days without a response. So I guess it'll be Twitter.
Thx
How are you using this role? As the API can't use it unless you enable by assigning to authenticator role.
If it's a critical security issue you shoudl be reporting it to the security team as stated in their
security.txt which is linked in the footer on their website. https://supabase.com/.well-known/security.txt