Supabase implicit GRANTs silently exposed PII backup table to unauthenticated users
A developer discovered that three separate database objects in a Supabase project had inadvertently been made publicly accessible due to implicit PostgreSQL permission grants. The most serious case involved a temporary PII backup table created via CREATE TABLE AS SELECT, which automatically received SELECT, INSERT, UPDATE, and DELETE privileges for the anonymous role without any explicit grant being written. A second issue involved a policy set TO PUBLIC, and a third saw four SECURITY DEFINER functions become invocable by anonymous users because EXECUTE is granted TO PUBLIC by default at creation time. In each case, the root cause was the same: PostgreSQL silently appended implicit GRANTs that the migration author never wrote, leaving objects open before RLS could apply. The fix required explicit REVOKE statements added in follow-up migrations to close the unintended access.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in