Back to blog
Supabasetechnicalvulnerabilities

Supabase RLS: 5 configuration mistakes we find every week

Published on 2026-03-287 min readFlorian

Supabase is powerful. But RLS mistakes are everywhere.

Mistake 1: RLS enabled without policies

Table inaccessible, dev adds service_role client-side.

Mistake 2: SELECT protected, UPDATE/DELETE forgotten

Most common mistake. Any authenticated user can modify others' data.

Mistake 3: USING(true)

Equals no protection. Everyone has access.

Mistake 4: RPC functions without checks

RPC functions bypass RLS by default.

Mistake 5: Storage buckets without policies

Confidential documents in open buckets.

Related articles

Three adjacent analyses to keep exploring the same attack surface.

WordPresstechnical

WordPress REST API: 7 dangerous endpoints enabled by default

Your WordPress exposes sensitive data via REST API without you knowing. Here are 7 endpoints to check now.

2026-04-03 · 6 min read
Firebasetechnical

Firebase Firestore: why 'allow read, write: if request.auth != null' is not security

The basic Firestore authentication rule doesn't protect your data. Here's why and how to fix it.

2026-03-25 · 6 min read
Laraveltechnical

Laravel: when Ziggy exposes the complete map of your application

Ziggy route exposure gives attackers a complete map of your Laravel app architecture.

2026-03-10 · 5 min read

Sources

Written by Florian
Reviewed on 2026-03-28

Editorial analysis based on official vendor, project, and regulator documentation.

Related services

If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

External Review

Get a fast, clear read on your product’s real external exposure.

Full Audit

Document all priority flaws and get a real remediation plan.

Ongoing Review

Track new exposure as your stack changes over time.

Need an external review of your HR SaaS?

Share your product, stack, and client context. We will come back with the right review scope.

Discuss your audit