VBS-2026-0001CRITICALCVSS 9.8CWE-312

Supabase service_role key exposed in NEXT_PUBLIC_ environment variable

AI coding tools frequently instruct users to set the Supabase service role key as a NEXT_PUBLIC_ variable to "make it work." This prefix causes Next.js to bundle the key into client-side JavaScript, exposing it to every visitor. The service role key bypasses all Row Level Security policies, granting full read/write/delete access to the entire database.

Published
2026-01-14
Discovered By
PolyDefender Research
CVSS Score
9.8 / 10
Affected AI Platforms
LovableBolt.newChatGPTClaudeGemini
Affected Tech Stack
Next.js + SupabaseReact + Supabase
Proof of Conceptpoc.ts
// Exposed in browser bundle - visible to anyone:
// NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY=[REDACTED_SERVICE_ROLE_JWT]

// Attacker can bypass all RLS:
export const client = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY)
await client.from('users').select('*')  // Returns ALL rows, ignoring RLS
Remediation

Move the service role key to a server-side only environment variable (no NEXT_PUBLIC_ prefix). Never use it in client components. Use the anon key on the client.

#supabase#next.js#credentials#ai-generated
References
Check if your app is vulnerable to VBS-2026-0001

PolyDefender detects this and dozens of other AI-specific vulnerability patterns.

FAQ
Q

How do I check if my Next.js + Supabase + React + Supabase app is affected by supabase service_role key exposed in NEXT_PUBLIC_ environment variable?

A

AI coding tools frequently instruct users to set the Supabase service role key as a NEXT_PUBLIC_ variable to "make it work." This prefix causes Next.js to bundle the key into client-side JavaScript, exposing it to every visitor. Search your codebase for Next.js + Supabase, React + Supabase patterns and verify the remediation has been applied. This is rated CVSS 9.8 — treat it as a live incident if your app is already in production.

Q

Why does Lovable and Bolt.new generate code with CWE-312 (critical severity)?

A

AI coding tools frequently instruct users to set the Supabase service role key as a NEXT_PUBLIC_ variable to "make it work." This prefix causes Next.js to bundle the key into client-side JavaScript, exposing it to every visitor. The service role key bypasses all Row Level Security policies, granting full read/write/delete access to the entire database.

Q

How do I fix supabase service_role key exposed in NEXT_PUBLIC_ environment variable?

A

Move the service role key to a server-side only environment variable (no NEXT_PUBLIC_ prefix). Never use it in client components. Use the anon key on the client.

Q

What can an attacker do if my app contains VBS-2026-0001?

A

With CVSS 9.8 (critical), this vulnerability is critical — an attacker can likely gain complete control of your data or infrastructure. The service role key bypasses all Row Level Security policies, granting full read/write/delete access to the entire database..