Exploiting Supabase MCP to Leak Private SQL Tables

Popular：

Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

Exploiting Supabase MCP to Leak Private SQL Tables

2025-07-09

Researchers discovered a vulnerability that allows attackers to leak a developer's private SQL tables by exploiting Supabase's MCP integration. A carefully crafted support ticket message tricks the LLM assistant into executing SQL queries, bypassing row-level security and accessing sensitive data like OAuth tokens. The vulnerability stems from the LLM assistant's excessive database access privileges (service_role) and its blind trust in user-submitted content. Mitigations include using read-only mode whenever possible and adding a prompt injection filter.

(www.generalanalysis.com)

Development

FTC's Rulemaking Process Rebuffed: Procedural Irregularities Found

A Nostalgic Journey Through Mac Settings (1984-2004)