The Wire · Showcase
GRPC PATCHES AUTHORIZATION BYPASS AS SUPABASE MODERNIZES REALTIME STACK
By RepoJournal · Filed · About Supabase
A critical authorization bypass in gRPC 1.56 to 1.79.2 could let attackers bypass request validation, and Supabase is patching across benchmarks while shipping realtime improvements.
The grpc-go team fixed a server-side authorization bypass where malformed :path headers missing the leading slash could bypass authorization checks [1]. Supabase's benchmarks repo jumped from gRPC 1.56.3 to 1.79.3 to close this gap [1]. On the realtime front, the team is dropping its fork of gen_rpc now that all upstream PRs hit the original EMQX repository [2], reducing maintenance burden. Svelte got two separate bumps in benchmarks: a major jump from 4.2.19 to 5.51.5 [3] followed by patch updates to 5.55.7 addressing XSS on hydration [4]. The supabase-js client in realtime bumped to v2.108.2, fixing auth session refresh failures and clarifying httpSend() errors [5]. On the docs side, external replication (ETL) terminology is now standardized across the platform [6], Edge Functions got a new error codes reference guide [7], and High Availability projects on Multigres now show which features (Realtime, Replication, PITR) are unavailable [8].
Action items
- → Verify benchmarks repo runs gRPC 1.79.3 or later in your local environment supabase/benchmarks [immediate]
- → Review Multigres HA feature restrictions in Studio to prevent user confusion supabase/supabase [plan]
- → Monitor realtime stability after gen_rpc fork consolidation in next release supabase/realtime [monitor]
References
- [1] build(deps): bump google.golang.org/grpc from 1.56.3 to 1.79.3 in the go_modules group across 1 directory ↗ supabase/benchmarks
- [2] fix: update gen_rpc to original fork ↗ supabase/realtime
- [3] build(deps-dev): bump svelte from 4.2.19 to 5.51.5 in /web in the npm_and_yarn group across 1 directory ↗ supabase/benchmarks
- [4] build(deps): bump the npm_and_yarn group across 1 directory with 6 updates ↗ supabase/benchmarks
- [5] chore: update @supabase/supabase-js to v2.108.2 ↗ supabase/realtime
- [6] Standardize external replication (ETL) docs ↗ supabase/supabase
- [7] docs(functions): add error codes page ↗ supabase/supabase
- [8] chore: Disable some of the Studio features on Multigres projects ↗ supabase/supabase
FAQ
- What changed in Supabase on June 16, 2026?
- A critical authorization bypass in gRPC 1.56 to 1.79.2 could let attackers bypass request validation, and Supabase is patching across benchmarks while shipping realtime improvements.
- What should Supabase teams do about it?
- Verify benchmarks repo runs gRPC 1.79.3 or later in your local environment • Review Multigres HA feature restrictions in Studio to prevent user confusion • Monitor realtime stability after gen_rpc fork consolidation in next release
- Which Supabase repositories shipped on June 16, 2026?
- supabase/benchmarks, supabase/realtime, supabase/supabase