Covered by FixVibehigh

ZXCVVAKATAWASEWASEGI0. Na curu ki na itukutuku sega ni vakadonui ena kena yali na veitaqomaki ni ivakatagedegede ni laini (RLS) ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE1 Na yali se cala ni veitaqomaki ni ivakatagedegede ni laini (ZXCVFIXVIBETOKEN2ZXCV) ena Supabase-vakadeitaki RLS apps e rawa ni vakavuna na vakaraitaki taucoko ni itukutuku. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE2. Ena Supabase-vakadeitaki na kerekere, na veitaqomaki ni itukutuku e vakararavi ena veitaqomaki ni ivakatagedegede ni laini (ZXCVFIXVIBETOKEN3ZXCV). Kevaka e sega ni vakaraitaki vakamatata na ZXCVFIXVIBETOKEN4ZXCV ka vakarautaki vata kei na lawatu, e dua na vakayagataki ni ki ni sega ni kilai raraba e rawa ni wilika, vakavoutaka, se bokoca na itukutuku ena itukutuku taucoko. Oqo e bibi sara ena veivanua e dau tekivutaki kina na kasitama ni ZXCVFIXVIBETOKEN2ZXCV ena dua na ki ni ZXCVFIXVIBETOKEN5ZXCV raraba. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE3. ## Veivakaleqai ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE4. Na sega ni vakayacori ni veitaqomaki ni ivakatagedegede ni laini (ZXCVFIXVIBETOKEN6ZXCV) e rawa kina vei ira na dauvakacaca sega ni vakadeitaki me ra taroga na itukutuku mai na dua na itukutuku ni ZXCVFIXVIBETOKEN3ZXCV ni sa vakaraitaki na teveli raraba ena iyalayala ni anon RLS. Baleta ni ZXCVFIXVIBETOKEN5ZXCV kerekere e dau vakaraitaka na ZXCVFIXVIBETOKEN4ZXCV na ki ena code ni kasitama-yasana, e dua na dauvakacaca e rawa ni vakayagataka na ki oqo me cakava vakadodonu na vakacegu intesensitive na itukutuku kei na logic ena itukutuku ni kerekere, ena ZXCVVAKATAWASEWASEIVEIVAKATAKILAKI2ZXCV. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEGA5. ## Vuna ZXCVVAKATAWASEWASEI ZXCVVAKAVUVULI6. Ena kena ivakarau, na teveli ni Postgres ena ZXCVFIXVIBETOKEN4ZXCV e gadrevi kina na vakayacori vakamatata ni veitaqomaki ni ivakatagedegede ni laini me tarova na curu raraba RLS. Ni dua na dauvakatorocaketaka e bulia e dua na teveli ia e guilecava me vakatara na ZXCVFIXVIBETOKEN7ZXCV se sega ni vakamacalataka na lawatu vakatabui, na itukutuku e rawa ni vakaraitaka na itukutuku vei ira kece era taukena na ki ni cakacaka ni ZXCVFIXVIBETOKEN2ZXCV. Ena ZXCVFIXVIBETOKEN6ZXCV na ivolakerekere, na veiqaravi-yasana ni veiqaravi kei na kasitama-yasana fetching talega e gadrevi kina na qarauni ni ZXCVFIXVIBETOKEN5ZXCV kasitama vakarautaki me vakadeitaki kina na itukutuku ni vakayagataki e yacova yani na itukutuku ni ZXCVFIXVIBETOKEN3ZXCV. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE77. ## Vakavinakataki ni simede ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEG8. 1. Vakayacora na ZXCVvakacacani2ZXCV: Vakayacora na ZXCVvakacacani0ZXCV me baleta na teveli raraba kece sara e maroroya na itukutuku ni app RLS. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE9. 2. Vakamacalataka na lawatu: Cakava na lawatu vakatabakidua e vakatabuya na curu yavutaki ena ituvaki ni veivakadeitaki ni vakayagataki, me vaka na Supabase RLS. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI10 3. Taqomaki ni veiqaravi-yasana ni kasitama: Ni vakayagataki na RLS, maroroya na veiqaravi-itavi ni kasitama ni veiqaravi-duadua ga ka vakayagataka tikoga na filter ni taukena ni bera ni vakasuka na itukutuku vei ira na vakayagataka Supabase. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI11 ## Na sala e vakatovolei kina ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI12 ZXCVFIXVIBETOKEN3ZXCV ya ejecuta una lectura-solamente ZXCVFIXVIBETOKEN4ZXCV ZXCVFIXVIBETOKEN6ZXCV jeke ena Supabase. Na dauvakadidike e kunea na URL ni cakacaka ni ZXCVFIXVIBETOKEN5ZXCV kei na ki ni anon raraba mai na isoqoni ni JavaScript vata ga, kerea na PostgREST me baleta na metadata ni teveli raraba, ka tovolea vakaiyalayala na wiliwili-duadua ga digitaka me vakadeitaka kevaka e vakaraitaki na itukutuku ka sega na gauna ni vakayagataki. E sega ni vakacuruma, vakavoutaka, bokoca, se vakayagataka na ivakadinadina ni veiqaravi-itavi. Na vakadidike ni Repo e rawa ni taura talega oqo ena gauna taumada ena RLS, ka vakatakilakilataka na veisau ni SQL ka bulia na teveli raraba ka sega na ZXCVFIXVIBETOKEN2ZXCV.

In Supabase-backed applications, data security relies on Row Level Security (RLS). If RLS is not explicitly enabled and configured with policies, any user with the public anonymous key can read, update, or delete data across the entire database. This is particularly critical in Next.js environments where the Supabase client is often initialized with a public API key.

CWE-284

Impact

Failure to implement Row Level Security (RLS) allows unauthenticated attackers to query data from a Supabase database when public tables are exposed through the anon boundary [S1]. Because Next.js applications typically expose the Supabase anon key in client-side code, an attacker can use this key to make direct REST API calls to the database, bypassing the intended application logic and accessing sensitive user information [S2].

Root Cause

By default, Postgres tables in Supabase require explicit activation of Row Level Security to prevent public access [S1]. When a developer creates a table but forgets to enable RLS or fails to define restrictive policies, the database may expose data to anyone possessing the project's anon key [S1]. In Next.js applications, server-side rendering and client-side fetching also require careful Supabase client setup so authenticated user context reaches the database layer [S2].

Concrete Fixes

Enable RLS: Execute ALTER TABLE "your_table_name" ENABLE ROW LEVEL SECURITY; for every public table that stores app data [S1].
Define Policies: Create specific policies that restrict access based on the user's authentication status, such as CREATE POLICY "Users can see their own data" ON your_table_name FOR SELECT USING (auth.uid() = user_id); [S1].
Secure Server-Side Clients: When using Next.js, keep service-role clients server-only and still apply ownership filters before returning data to users [S2].

How FixVibe tests for it

FixVibe already runs a read-only Supabase RLS check through baas.supabase-rls. The scanner discovers the Supabase project URL and public anon key from same-origin JavaScript bundles, asks PostgREST for public table metadata, and attempts limited read-only selects to confirm whether data is exposed without a user session. It does not insert, update, delete, or use service-role credentials. Repo scans can also catch this earlier through repo.supabase.missing-rls, which flags SQL migrations that create public tables without ENABLE ROW LEVEL SECURITY.