Access Control: Row Level Security Bypass¶

Identifier: row_level_security

Scanner(s) Support¶

Description¶

Row Level Security (RLS) bypass vulnerabilities occur when database queries can be manipulated to access data that should be restricted. This typically happens when applications don't properly implement access controls at the database level, allowing attackers to use techniques like select=* parameters or query manipulation to retrieve more data than they should have access to. This is especially common in Supabase and similar database-as-a-service platforms where RLS policies might be misconfigured or bypassed through API parameter manipulation. Attackers can exploit these vulnerabilities to access sensitive data, violate privacy regulations, and potentially gain unauthorized access to user information or business-critical data.

Supabase exposes rest endpoints on top of the database, if row level security is not properly implemented, it will allow to bypass the RLS by using the rest endpoints.

This check will only cover Supabase, for now.

References:

• https://owasp.org/Top10/A01_2021-Broken_Access_Control/
• https://supabase.com/docs/guides/auth/row-level-security
• https://securityonline.info/cve-2025-48757-lovables-row-level-security-breakdown-exposes-sensitive-data-across-hundreds-of-projects/

Configuration¶

Example¶

Example configuration:

---
security_tests:
  row_level_security:
    assets_allowed:
    - REST
    skip: false

Reference¶

assets_allowed¶

Type : List[AssetType]*

List of assets that this check will cover.

skip¶

Type : boolean

Skip the test if true.