> Given the enormous risk involved even with a read-only MCP against your database, I would encourage Supabase to be much more explicit in their documentation about the prompt injection / lethal trifecta attacks that could be enabled via their MCP!
What if MCP itself is a completely flawed standard? You can easily manipulate the agent to leak sensitive data with really basic prompt injection attacks.
We already have seen many flaws and attacks on other MCP servers such as one from Heroku's MCP server [0] and one from Anthropic's MCP inspector [1]. This issue from Supabase for poor documentation is no different.
This protocol is quickly becoming one of the most insecure standards I have seen and once again, nobody cares.
(Until we get a totally avoidable data breach via a MCP server left wide open somewhere).
rvz•7mo ago
What if MCP itself is a completely flawed standard? You can easily manipulate the agent to leak sensitive data with really basic prompt injection attacks.
We already have seen many flaws and attacks on other MCP servers such as one from Heroku's MCP server [0] and one from Anthropic's MCP inspector [1]. This issue from Supabase for poor documentation is no different.
This protocol is quickly becoming one of the most insecure standards I have seen and once again, nobody cares.
(Until we get a totally avoidable data breach via a MCP server left wide open somewhere).
[0] https://news.ycombinator.com/item?id=44434776
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-49596