diff --git a/lib/realtime/tenants/migrations.ex b/lib/realtime/tenants/migrations.ex
index 489431c11..62b75b932 100644
--- a/lib/realtime/tenants/migrations.ex
+++ b/lib/realtime/tenants/migrations.ex
@@ -59,7 +59,8 @@ defmodule Realtime.Tenants.Migrations do
     FixWalrusRoleHandling,
     UnloggedMessagesTable,
     LoggedMessagesTable,
-    FilterDeletePostgresChanges
+    FilterDeletePostgresChanges,
+    ReduceGrantsPostgresUser
   }
 
   @migrations [
@@ -109,7 +110,8 @@ defmodule Realtime.Tenants.Migrations do
     {20_240_618_124_746, FixWalrusRoleHandling},
     {20_240_801_235_015, UnloggedMessagesTable},
     {20_240_805_133_720, LoggedMessagesTable},
-    {20_240_827_160_934, FilterDeletePostgresChanges}
+    {20_240_827_160_934, FilterDeletePostgresChanges},
+    {20_240_919_140_541, ReduceGrantsPostgresUser}
   ]
   defstruct [:tenant_external_id, :settings]
   @spec run_migrations(map()) :: :ok | {:error, any()}
diff --git a/lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex b/lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex
new file mode 100644
index 000000000..4eca60088
--- /dev/null
+++ b/lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex
@@ -0,0 +1,20 @@
+defmodule Realtime.Tenants.Migrations.ReduceGrantsPostgresUser do
+  @moduledoc false
+  use Ecto.Migration
+
+  def change do
+    execute("revoke supabase_realtime_admin from postgres")
+    execute("alter default privileges for role supabase_admin in schema realtime revoke all on tables from postgres")
+    execute("alter default privileges for role supabase_admin in schema realtime revoke all on functions from postgres")
+    execute("alter default privileges for role supabase_admin in schema realtime revoke all on sequences from postgres")
+
+    execute("revoke all on table realtime.schema_migrations from postgres, anon, authenticated, service_role")
+    execute("grant select on table realtime.schema_migrations to postgres with grant option")
+
+    execute("revoke all on table realtime.messages from postgres, anon, authenticated, service_role")
+    execute("grant select, insert on table realtime.messages to postgres with grant option")
+
+    execute("revoke all on table realtime.subscription from postgres")
+    execute("grant select on table realtime.subscription to postgres with grant option")
+  end
+end
diff --git a/mix.exs b/mix.exs
index 019871674..7d1f019e0 100644
--- a/mix.exs
+++ b/mix.exs
@@ -4,7 +4,7 @@ defmodule Realtime.MixProject do
   def project do
     [
       app: :realtime,
-      version: "2.32.11",
+      version: "2.32.12",
       elixir: "~> 1.16.0",
       elixirc_paths: elixirc_paths(Mix.env()),
       start_permanent: Mix.env() == :prod,