Covered by FixVibehigh

. Óheimilað dátuatgongd umvegis manglandi trygd á røðarstigi (RLS) ZXCVFIXVIBESEND ZXCVFIXVIBESEG1. Manglandi ella skeivt uppsett trygd á røðarstigi (ZXCVFIXVIBETOKEN2ZXCV) í Supabase-stuðlaðum RLS appum kann føra til fulla dátugrunnaeksponering. ZXCVFIXVIBESEND ZXCVFIXVIBESEG2. Í Supabase-stuðlaðum forritum byggir dátutrygdin á trygd á røðarstigi (ZXCVFIXVIBETOKEN3ZXCV). Um ZXCVFIXVIBETOKEN4ZXCV ikki er beinleiðis virkið og uppsett við politikki, kann ein og hvør brúkari við almenna dulnevnda lyklinum lesa, dagføra ella strika dátur í øllum dátugrunninum. Hetta er serliga avgerandi í ZXCVFIXVIBETOKEN2ZXCV umhvørvum, har klienturin ofta verður initialiseraður við einum almennum ZXCVFIXVIBETOKEN5ZXCV lykli. ZXCVFIXVIBESEND ZXCVFIXVIBESEG3. ## Ávirkan ZXCVFIXVIBESEND ZXCVFIXVIBESEG4. Um trygdin á røðini (ZXCVFIXVIBETOKEN6ZXCV) ikki verður sett í verk, so kunnu ógóðkendir álopsmenn fyrispyrja dátur úr einum ZXCVFIXVIBETOKEN3ZXCV dátugrunni, tá almennar talvur verða avdúkaðar gjøgnum anon markið RLS. Av tí at ZXCVFIXVIBETOKEN5ZXCV forrit vanliga avdúka Supabase lykilin í klient-síðukodu, kann ein álopsmaður brúka hendan lykilin til at gera beinleiðis REST atgongdarviðkvæmar kall til logindebrúkara í forritsgrunninum, við ZXCVFIXVIBETØKN2ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG5. ## Rótorsøk ZXCVFIXVIBESEND ZXCVFIXVIBESEG6. Standard krevja Postgres talvur í ZXCVFIXVIBETOKEN4ZXCV eksplisitta aktivering av Row Level Security fyri at forða fyri almennari atgongd RLS. Tá ein mennari ger eina talvu, men gloymir at virkja ZXCVFIXVIBETOKEN7ZXCV ella ikki megnar at definera avmarkandi politikkir, kann dátugrunnurin avdúka dátur fyri øllum, sum eiga Supabase lykilin hjá verkætlanini ZXCVFIXVIBETOKEN2ZXCV. Í ZXCVFIXVIBETOKEN6ZXCV forritum krevja eisini varliga ZXCVFIXVIBETOKEN5ZXCV klientuppseting, soleiðis at autentiseraður brúkarasamanhangur røkkur dátugrunnalagið ZXCVFIXVIBETOKEN3ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG7. ## Betongviðgerðir ZXCVFIXVIBESEND ZXCVFIXVIBESEG8. 1. Virkja ZXCVFIXVIBETOKEN2ZXCV: Fremja Supabase fyri hvørja almenna talvu, sum goymir appdátur RLS. ZXCVFIXVIBESEND ZXCVFIXVIBESEG9. 2. Definera politikkir: Stovna ávísar politikkir, sum avmarka atgongdina grundað á sannroyndarstøðuna hjá brúkaranum, so sum Supabase RLS. ZXCVFIXVIBESEND ZXCVFIXVIBESEG10 3. Tryggir kundar á ambætarasíðuni: Tá tú brúkar RLS, skalt tú halda tænastu-leiklutsklientar bert ambætara og nýta framvegis ognarfiltur, áðrenn tú sendir dátur aftur til brúkararnar Supabase. ZXCVFIXVIBESEND ZXCVFIXVIBESEG11 ## Hvussu Supabase roynir fyri tí ZXCVFIXVIBESEND ZXCVFIXVIBESEG12 ZXCVFIXVIBETOKEN3ZXCV koyrir longu ein lesandi kanning gjøgnum Supabase. Skannarin uppdagar ZXCVFIXVIBETOKEN5ZXCV verkætlanar URL og almenna anon lykilin frá JavaScript bingjum av sama uppruna, biður PostgREST um almenn talvu metadata, og roynir avmarkað lestrarval fyri at staðfesta, um dátur eru útsettar uttan brúkarasetu. Tað setur ikki inn, dagførir, strikar ella brúkar tænastu-leiklutsgóðkenningar. Repo-skanningar kunnu eisini fanga hetta fyrr gjøgnum RLS, sum flagga SQL-flytingar, sum gera almennar talvur uttan ZXCVFIXVIBETOKEN2ZXCV.

In Supabase-backed applications, data security relies on Row Level Security (RLS). If RLS is not explicitly enabled and configured with policies, any user with the public anonymous key can read, update, or delete data across the entire database. This is particularly critical in Next.js environments where the Supabase client is often initialized with a public API key.

CWE-284

Impact

Failure to implement Row Level Security (RLS) allows unauthenticated attackers to query data from a Supabase database when public tables are exposed through the anon boundary [S1]. Because Next.js applications typically expose the Supabase anon key in client-side code, an attacker can use this key to make direct REST API calls to the database, bypassing the intended application logic and accessing sensitive user information [S2].

Root Cause

By default, Postgres tables in Supabase require explicit activation of Row Level Security to prevent public access [S1]. When a developer creates a table but forgets to enable RLS or fails to define restrictive policies, the database may expose data to anyone possessing the project's anon key [S1]. In Next.js applications, server-side rendering and client-side fetching also require careful Supabase client setup so authenticated user context reaches the database layer [S2].

Concrete Fixes

Enable RLS: Execute ALTER TABLE "your_table_name" ENABLE ROW LEVEL SECURITY; for every public table that stores app data [S1].
Define Policies: Create specific policies that restrict access based on the user's authentication status, such as CREATE POLICY "Users can see their own data" ON your_table_name FOR SELECT USING (auth.uid() = user_id); [S1].
Secure Server-Side Clients: When using Next.js, keep service-role clients server-only and still apply ownership filters before returning data to users [S2].

How FixVibe tests for it

FixVibe already runs a read-only Supabase RLS check through baas.supabase-rls. The scanner discovers the Supabase project URL and public anon key from same-origin JavaScript bundles, asks PostgREST for public table metadata, and attempts limited read-only selects to confirm whether data is exposed without a user session. It does not insert, update, delete, or use service-role credentials. Repo scans can also catch this earlier through repo.supabase.missing-rls, which flags SQL migrations that create public tables without ENABLE ROW LEVEL SECURITY.