VBS-2026-0002CRITICALCVSS 9.1CWE-284LLM-generated Supabase schemas frequently omit Row Level Security (RLS) policies entirely. When RLS is disabled on a table, the Supabase anon key (which is always public) grants unauthenticated read and write access to all rows. This is the leading cause of data breaches in apps built with AI tools.
-- AI-generated migration (no RLS): CREATE TABLE messages (id uuid, user_id uuid, content text); -- No: ALTER TABLE messages ENABLE ROW LEVEL SECURITY; -- No RLS policies -- Any anonymous user can read all messages: curl "https://PROJECT.supabase.co/rest/v1/messages?select=*" \ -H "apikey: ANON_KEY"
Enable RLS on every table: ALTER TABLE your_table ENABLE ROW LEVEL SECURITY; Then add restrictive policies. Never deploy without verifying RLS status.
How do I check if my Supabase app is affected by missing Row Level Security on Supabase tables created by AI assistants?
LLM-generated Supabase schemas frequently omit Row Level Security (RLS) policies entirely. Search your codebase for Supabase patterns and verify the remediation has been applied. This is rated CVSS 9.1 — treat it as a live incident if your app is already in production.
Why does Lovable and Bolt.new generate code with CWE-284 (critical severity)?
LLM-generated Supabase schemas frequently omit Row Level Security (RLS) policies entirely. When RLS is disabled on a table, the Supabase anon key (which is always public) grants unauthenticated read and write access to all rows.
How do I fix missing Row Level Security on Supabase tables created by AI assistants?
Enable RLS on every table: ALTER TABLE your_table ENABLE ROW LEVEL SECURITY; Then add restrictive policies. Never deploy without verifying RLS status.
What can an attacker do if my app contains VBS-2026-0002?
With CVSS 9.1 (critical), this vulnerability is critical — an attacker can likely gain complete control of your data or infrastructure. When RLS is disabled on a table, the Supabase anon key (which is always public) grants unauthenticated read and write access to all rows.