CRITICAL · CVSS 9.5
Class vulnerability — Supabase tables shipped without RLS
Class vulnerability — new Supabase tables default to RLS-OFF. Without explicit RLS enable, the anon_key (public by design) reads every row.
Affects
- Any Supabase project; particularly AI-coded apps from Lovable/Bolt/v0
What an attacker does
Attacker scrapes JS bundle for SUPABASE_ANON_KEY + URL. Queries every table directly via REST API. Without RLS, all rows returned.
How to detect
supabase db dump | grep 'enable row level security' — count vs total tables. Or use Securie's Supabase RLS specialist.
How to fix
alter table T enable row level security; + per-table tenant-scoped policies. See /templates/rls-policy-supabase.
Securie findingcritical · CVSS 9.5
CVE-2025-XXXXHow Securie catches CVE-2025-XXXX
Securie's Supabase RLS specialist scans every migration.
Scan my repo for CVE-2025-XXXX →Securie scans every PR · free during early access