← Back to VibeScan
CriticalSecurity Finding

Row Level Security (RLS) Disabled

VibeScan detected signals that Row Level Security may be disabled on one or more of your Supabase tables. Without RLS, any authenticated user can query the entire table — including rows belonging to other users.

What RLS actually does

Supabase uses PostgreSQL's Row Level Security to control which rows a user can see or modify. Without it, the database falls back to role-level permissions — meaning anyone using your anon key (every visitor to your site) can run queries with no row-level restrictions.

RLS OFF (danger)
SELECT * FROM users
→ returns ALL 10,000 rows
RLS ON (safe)
SELECT * FROM users
→ returns only YOUR row

The attack is trivial

This is one of the most exploited issues in Supabase apps built with AI tools, because Lovable and Bolt don't enable RLS by default. Here's exactly what an attacker does:

  1. Open your app, inspect the network tab — find your Supabase URL and anon key in the JS bundle.
  2. Create a free Supabase account. Open any project's SQL editor.
  3. Point it at your database URL and run: SELECT * FROM users, SELECT * FROM orders, SELECT * FROM payments.
  4. Download every record in every table with no authentication.

How to fix it

1

Enable RLS on every table

In Supabase Dashboard → Table Editor → select each table → "Enable RLS". Do this for every table that contains user data.

-- Via SQL (do this for every table)
ALTER TABLE profiles ENABLE ROW LEVEL SECURITY;
ALTER TABLE orders ENABLE ROW LEVEL SECURITY;
ALTER TABLE documents ENABLE ROW LEVEL SECURITY;
2

Add read policies

RLS with no policies blocks everyone including legitimate users. Add a policy that lets users access their own rows.

-- Users can only read their own profile
CREATE POLICY "users_select_own" ON profiles
  FOR SELECT USING (auth.uid() = user_id);

-- Users can only update their own profile
CREATE POLICY "users_update_own" ON profiles
  FOR UPDATE USING (auth.uid() = user_id);
3

Test your policies

Use the Supabase RLS policy tester or a test account to verify that users cannot see each other's data.

Fix prompt for Lovable / Bolt / Cursor

“VibeScan flagged that Row Level Security may be disabled on my Supabase tables. Please enable RLS on every table in my project and add appropriate policies. For user-owned data (profiles, orders, documents), add SELECT and UPDATE policies using auth.uid() = user_id. For public data like a products table, add a SELECT policy that allows all reads. Then test that one user cannot access another user's rows.”

Scan your app for missing RLS

VibeScan detects RLS signals alongside 10 other critical security checks — free, in under 60 seconds.

Scan my app free →