Security question in regards to default permissions enforced by supabase

Solved🟢SQL

Looking at the default privileges granted to the

anon

anon

and

authenticated

authenticated

roles, they include things like TRUNCATE, TRIGGER, and REFERENCES across schemas like

storage

storage

supabase_functions

supabase_functions

public

public

, etc. My understanding is that RLS doesn't protect against TRUNCATE or TRIGGER abuse, so these feel indefensible regardless of RLS policies. Does this constitute a security vulnerability, or is there a mitigation I'm missing?
I was going to report on HackerOne a

CWE-732

CWE-732

, but wanted to ask beforehand to spare myself the embarrassment since I've never actually posted there.

Supabase•7d ago•

8 replies

Despair

Security question in regards to default permissions enforced by supabase

Solved🟢SQL

Looking at the default privileges granted to the

anon

anon

and

authenticated

authenticated

roles, they include things like TRUNCATE, TRIGGER, and REFERENCES across schemas like

storage

storage

supabase_functions

supabase_functions

public

public

CWE-732

CWE-732

, but wanted to ask beforehand to spare myself the embarrassment since I've never actually posted there.

Security question in regards to default permissions enforced by supabase

Similar Threads

Security question in regards to default permissions enforced by supabase

Similar Threads

Similar Threads

Similar Threads