Supabase MCP can leak your entire SQL database

Summary

Model Context Protocol (MCP) has emerged as a standard way for LLMs to interact with external tools. While this unlocks new capabilities, it also introduces new risk surfaces. In this post, we show how an attacker can exploit Supabase’s MCP integration to leak a developer’s private SQL tables. The Problem LLMs are often used to process data according to pre-defined instructions. The system prompt, user instructions, and the data context is provided to the LLM as text. [SYSTEM PROMPT] You are a helpful assistant. [FETCHED DATA] Customer: I'm having trouble with billing. Customer: I need to update my credit card because the current one expired. [USER INSTRUCTION] Summarize the ticket and suggest a reply.The core issue is that LLMs don't have a built-in understanding of context boundries. They process all text the same way; whether it is data/context or user instructions. The core problem of LLMs interacting with tools is that they can not distinguish instructions from data. Therefore, if a caarefully crafted piece of user-provided “data” happens to look like an instruction, the model may process it as one. The Setup To keep the demonstration self-contained, we spun up a fresh Supabase project that mirrors a typical multi-tenant customer-support SaaS. The instance was populated with dummy data only, Row-Level-Security (RLS) was enabled exactly as documented, and no additional extensions or policies were introduced. Everything the attack exploits therefore exists in an “out-of-the-box” configuration: the standard service_role, the default model, RLS and a language-model assistant that issues MCP calls on behalf of the developer. We assume the developer uses Cursor to interact with the MCP to list the latest support tickets occasionally. 1. Actors & Privilege Boundaries Actor (Role)Interface they useDB credential in playKey capabilityCustomer / AttackerPublic “Submit Ticket” formanon role (RLS-restricted)Create tickets & messages in their own rowsSupport AgentA support d...