Supabase MCP can leak your entire SQL database

(www.generalanalysis.com)

786 points rexpository | 3 comments | 08 Jul 25 17:46 UTC | HN request time: 0s | source

Show context

tptacek ◴[08 Jul 25 19:15 UTC] No.44503091[source]▶

This is just XSS mapped to LLMs. The problem, as is so often the case with admin apps (here "Cursor and the Supabase MCP" is an ad hoc admin app), is that they get a raw feed of untrusted user-generated content (they're internal scaffolding, after all).

In the classic admin app XSS, you file a support ticket with HTML and injected Javascript attributes. None of it renders in the customer-facing views, but the admin views are slapped together. An admin views the ticket (or even just a listing of all tickets) and now their session is owned up.

Here, just replace HTML with LLM instructions, the admin app with Cursor, the browser session with "access to the Supabase MCP".

replies(4): >>44503182 #>>44503194 #>>44503269 #>>44503304 #

otterley ◴[08 Jul 25 19:35 UTC] No.44503269[source]▶

>>44503091 #

Oh, Jesus H. Christ: https://github.com/supabase-community/supabase-mcp/blob/main...

replies(2): >>44503322 #>>44503344 #

noselasd ◴[08 Jul 25 19:43 UTC] No.44503344[source]▶

>>44503269 #

It's an MCP for your database, ofcourse it's going to execute SQL. It's your responsibility for who/what can access the MCP that you've pointed at your database.

replies(2): >>44503594 #>>44504647 #

1. otterley ◴[08 Jul 25 20:08 UTC] No.44503594[source]▶

>>44503344 #

Except without any authentication and authorization layer. Remember, the S in MCP is for "security."

Also, you can totally have an MCP for a database that doesn't provide any SQL functionality. It might not be as flexible or useful, but you can still constrain it by design.

replies(1): >>44505023 #

2. tptacek ◴[08 Jul 25 23:44 UTC] No.44505023[source]▶

>>44503594 (TP) #

No part of what happened in this bug report has anything to do with authentication and authorization. These developers are using the MCP equivalent of a `psql` prompt. They assume full access.

I think this "S in MCP" stuff is a really handy indicator for when people have missed the underlying security issue, and substituted some superficial thing instead.

replies(1): >>44506488 #

3. otterley ◴[09 Jul 25 05:08 UTC] No.44506488[source]▶

>>44505023 #

What do you think the underlying security issue is? I see at least two of them.

Also, psql doesn’t automatically provide its caller with full access to a database server—or any access at all, for that matter. You still have to authenticate yourself somehow, even if you’re it’s just local peer authentication.

If this MCP server is running with your own credentials, and your credentials give you full access to the database, then the fact that the service can be used to make arbitrary queries to the database is not remarkable: It’s literally your agent. We’d call it a bug, not necessarily a security risk. However, if it’s running with credentials that aren’t yours that provide full access, and your own credentials don’t, then this bug becomes a privilege escalation attack vector. It’s a classic confused deputy problem.

The situation with MCP today reminds me of the 1990s when everyone ran open SMTP servers. It wasn’t a big deal at first, but once the abuse became bad enough, we had to do something about it. SMTP didn’t have any security facilities in it, so we had to experiment with patchy solutions and ended up with a in-band solution involving the AUTH extension and SASL.

Something similar is going on with MCP right now. It doesn’t offer an in-band generic authentication support (hence the missing “S”). There’s no way I’m aware of to pass arbitrary application credentials to an MCP server so it can act as a database query agent that can do only as much as your credentials permit. There seems to be limited support for bearer tokens and OAuth, but neither of those directly translate to database credentials.

↑