Three Supabase security gaps traced to Postgres implicit grants at object creation
A developer discovered three separate security vulnerabilities in a Supabase-backed application, all stemming from the same root cause: Postgres silently adds implicit GRANTs when objects are created, without the author explicitly writing them. The first incident involved a PII backup table created via CREATE TABLE AS SELECT, which inadvertently became fully accessible to unauthenticated users due to default public grants and no active row-level security. A second issue arose from a policy set to PUBLIC for a landing page, which allowed anonymous POST requests to return data-revealing error responses instead of proper 401 Unauthorized rejections. The third involved SECURITY DEFINER functions that inherited EXECUTE TO PUBLIC by default at creation time, making privileged operations invocable by any unauthenticated caller. The incidents highlight a systemic Postgres behaviour where developers may believe their migrations are restrictive, while the database quietly extends broader access than intended.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in