A security vulnerability was identified in self-hosted SFP server deployments where application tokens stored in the database could be read by authenticated users through the Supabase PostgREST API due to an overly permissive row-level security policy. This issue affected self-hosted deployments where the Supabase instance was publicly accessible without network-level restrictions. Cloud-managed (flxbl-managed) instances were not affected due to architectural separation of auth and data planes. The issue has been resolved in V3 with a migration that restricts application token access to server-side service role only. As a precaution, all cloud V2 services have been migrated in an accelerated fashion to V3, which operates behind Cloudflare WAF.
Self-hosted customers are advised to upgrade to V3 and ensure their Supabase and SFP server instances are restricted to their internal network.
