Common Supabase security issues include exposed databases, hardcoded API keys, missing security headers, and weak authentication.
Based on our scans, the most common Supabase security issues are:
**Critical Issues:** - Database tables without access controls (open to anyone) - API keys hardcoded in JavaScript bundles - Service/admin keys exposed in frontend code
**High Severity Issues:** - Missing or weak RLS/Security Rules - No rate limiting on authentication - Source maps exposing source code
**Medium Severity Issues:** - Missing security headers (CSP, HSTS, X-Frame-Options) - Weak password requirements - Session cookies without secure flags
VAS checks for all these issues and provides remediation guidance for each finding.
of Lovable applications (170 out of 1,645) had exposed user data in the CVE-2025-48757 incident
Source: CVE-2025-48757 security advisory
of data breaches involve databases with misconfigured access controls
Source: Verizon Data Breach Investigations Report
average cost of a data breach in 2023
Source: IBM Cost of a Data Breach Report 2023
“Row Level Security is not optional for production applications. Without RLS, your anon key grants full public access to your database.”
“Service keys should never be used in the browser or exposed to customers. They bypass all Row Level Security policies.”
VAS scans for all the security issues mentioned above. Get a comprehensive security report in minutes.
Scan Your App