Get the latest tech news

Supabase MCP can leak your entire SQL database

In this post, we show how an attacker can exploit Supabase’s MCP integration to leak a developer’s private SQL tables. Model Context Protocol (MCP) has emerged as a standard way for LLMs to interact with external tools. While this unlocks new capabilities, it also introduces new risk surfaces.

Everything the attack exploits therefore exists in an “out-of-the-box” configuration: the standard service_role, the default model, RLS and a language-model assistant that issues MCP calls on behalf of the developer. Actor (Role)Interface they useDB credential in playKey capability Customer / Attacker Public “Submit Ticket” form anon role (RLS-restricted)Create tickets & messages in their own rows Support Agent A support dashboard support role (RLS-restricted)Read / write only support_* tables Developer Cursor IDE + Supabase MCP service_role(bypasses RLS)Full SQL over every table IDE Assistant LLM invoked by CursorExecutes SQL via MCP under service_role Runs any query the text instructs The weak link: the IDE assistant ingests untrusted customer text and holds service_role privileges. This safeguard won’t catch every attack, but it provides a scalable and realistic first layer of defense—especially for teams using third-party IDEs like Cursor where structured context boundaries aren’t feasible.

Get the Android app