Supabase MCP can leak your entire SQL database

Attackers can exploit Supabase's Model Context Protocol (MCP) integration to extract entire private SQL databases by injecting malicious instructions into customer support tickets, which the developer's IDE assistant then executes with full service_role privileges that bypass Row-Level Security policies. The vulnerability exists because LLMs cannot distinguish between user-provided data and instructions, so a crafted ticket message that looks like a SQL command will be processed as one, allowing an attacker to leak sensitive tables like integration tokens that the support agent role itself cannot access.

Visit Original Article →