CRITICAL SECURITY ISSUE - URGENT SUPABASE TEAM ATTENTION NEEDED
I reported a critical RLS bypass vulnerability via email 2 days ago but haven't received any response. This is affecting production systems and needs immediate attention.
Issue Summary:
The supabase_read_only_user system role has pg_read_all_data membership
This completely bypasses ALL Row Level Security policies
Customer PII, admin credentials, and sensitive data are accessible despite proper RLS implementation
Cannot be fixed client-side as it's a reserved system role
Impact:
Complete RLS policy bypass on all tables
GDPR/CCPA compliance violations
Customer data exposure risk
Technical Evidence:
-- Role has BYPASSRLS privilege
SELECT rolname, rolbypassrls FROM pg_roles WHERE rolname = 'supabase_read_only_user';
-- Result: rolbypassrls = true
Attempted Fix Failed:
ERROR: 42501: "supabase_read_only_user" is a reserved role, only superusers can modify it
This requires Supabase infrastructure team intervention to modify the system role permissions.
Original Report: Sent via email 2 days ago with full technical details and project ID.
Can someone from the team please escalate this? Happy to provide additional details privately.
Issue Summary:
The supabase_read_only_user system role has pg_read_all_data membership
This completely bypasses ALL Row Level Security policies
Customer PII, admin credentials, and sensitive data are accessible despite proper RLS implementation
Cannot be fixed client-side as it's a reserved system role
Impact:
Complete RLS policy bypass on all tables
GDPR/CCPA compliance violations
Customer data exposure risk
Technical Evidence:
-- Role has BYPASSRLS privilege
SELECT rolname, rolbypassrls FROM pg_roles WHERE rolname = 'supabase_read_only_user';
-- Result: rolbypassrls = true
Attempted Fix Failed:
ERROR: 42501: "supabase_read_only_user" is a reserved role, only superusers can modify it
This requires Supabase infrastructure team intervention to modify the system role permissions.
Original Report: Sent via email 2 days ago with full technical details and project ID.
Can someone from the team please escalate this? Happy to provide additional details privately.
