Cy
CymeroMy Vibe SaaSProtected
Search findings, deploys, users...K
Back to findings
criticalLive in productionSupabase policy drift97% confidence
Anyone can read your customers table
A Supabase rule change made customer records readable by anonymous users.
Why this matters
Unauthenticated visitors may be able to read names, emails, plan status, and usage data for every customer.
Evidence
supabase/migrations/202605041830_customers.sql:18
production evidence
1 alter table public.customers disable row level security; 2 Policy check returned rows for anonymous role. 3 Issue is live in the latest deployment linked to commit 8f42a91.
Suggested fix
Re-enable row level security and add ownership-scoped policies that compare customer.account_id to the authenticated user's account membership.
Paste into Cursor
Review supabase/migrations/202605041830_customers.sql. Re-enable RLS on public.customers and add select/update policies so users can only access customers belonging to their account. Do not rely on client-provided account_id.