What security issues do Supabase apps have?

Headline incident: Most Supabase Security Issues: Missing RLS

The majority of Supabase security incidents stem from tables without Row Level Security enabled. When RLS is disabled, anyone with your anon key can read, modify, or delete all data in that table.

Critical issues in Supabase apps

• **Tables Without RLS**: Any table without RLS enabled is fully exposed via the public API. *(Observed: This is the #1 vulnerability in Supabase apps, affecting majority of vibe-coded projects.)*
• **Service Role Key Exposure**: The service_role key bypasses all RLS and grants admin access.

High-severity issues

• **Permissive RLS Policies**: Policies that allow more access than intended (e.g., any authenticated user).
• **Unprotected RPC Functions**: Database functions callable without authentication.

Medium/low-severity issues

• **Storage Bucket Exposure**: Storage buckets without policies allow public read/write.

Why these are the issues specific to Supabase

Supabase apps ship with a recognizable stack (supabase). The issue list above is what appears when you scan that specific combination. A Firebase-backed app would have a different top-5; a self-hosted Postgres deployment would have yet another. Context is everything.

What VAS checks in a Supabase scan

• **RLS Policies** — Tests your Row Level Security by attempting to read/write data as anonymous and authenticated users.
• **Service Key Exposure** — Scans for service_role keys that should never be in client-side code.
• **RPC Functions** — Tests your database functions for proper authentication requirements.
• **Auth Configuration** — Checks authentication settings for weak passwords, missing verification, and rate limiting.