←back to thread

Supabase MCP can leak your entire SQL database

(www.generalanalysis.com)
779 points rexpository | 1 comments | 08 Jul 25 17:46 UTC | HN request time: 0.195s | source
Show context
rhavaeis ◴[08 Jul 25 20:01 UTC] No.44503524[source]
CEO of General Analysis here (The company mentioned in this blogpost)

First, I want to mention that this is a general issue with any MCPs. I think the fixes Supabase has suggested are not going to work. Their proposed fixes miss the point because effective security must live above the MCP layer, not inside it.

The core issue that needs addressing here is distinguishing between data and instructions. A system needs to be able to know the origins of an instruction. Every tool call should carry metadata identifying its source. For example, an EXECUTE SQL request originating from your database engine should be flagged (and blocked) since an instruction should come from the user not the data.

We can borrow permission models from traditional cybersecurity—where every action is scoped by its permission context. I think this is the most promising solution.

replies(2): >>44503628 #>>44508488 #
1. nijave ◴[09 Jul 25 11:01 UTC] No.44508488[source]
This seems like the most obvious solution.

"Just don't give the MCP access in the first place"

If you're giving it raw SQL access, then you need to make sure you have an appropriate database setup with user/actor scoped roles which I don't think is very common. Much more common the app gets a privileged service account