VibeScan detected signals that Row Level Security may be disabled on one or more of your Supabase tables. Without RLS, any authenticated user can query the entire table — including rows belonging to other users.
Supabase uses PostgreSQL's Row Level Security to control which rows a user can see or modify. Without it, the database falls back to role-level permissions — meaning anyone using your anon key (every visitor to your site) can run queries with no row-level restrictions.
SELECT * FROM users
→ returns ALL 10,000 rowsSELECT * FROM users
→ returns only YOUR rowThis is one of the most exploited issues in Supabase apps built with AI tools, because Lovable and Bolt don't enable RLS by default. Here's exactly what an attacker does:
In Supabase Dashboard → Table Editor → select each table → "Enable RLS". Do this for every table that contains user data.
-- Via SQL (do this for every table) ALTER TABLE profiles ENABLE ROW LEVEL SECURITY; ALTER TABLE orders ENABLE ROW LEVEL SECURITY; ALTER TABLE documents ENABLE ROW LEVEL SECURITY;
RLS with no policies blocks everyone including legitimate users. Add a policy that lets users access their own rows.
-- Users can only read their own profile CREATE POLICY "users_select_own" ON profiles FOR SELECT USING (auth.uid() = user_id); -- Users can only update their own profile CREATE POLICY "users_update_own" ON profiles FOR UPDATE USING (auth.uid() = user_id);
Use the Supabase RLS policy tester or a test account to verify that users cannot see each other's data.
“VibeScan flagged that Row Level Security may be disabled on my Supabase tables. Please enable RLS on every table in my project and add appropriate policies. For user-owned data (profiles, orders, documents), add SELECT and UPDATE policies using auth.uid() = user_id. For public data like a products table, add a SELECT policy that allows all reads. Then test that one user cannot access another user's rows.”
VibeScan detects RLS signals alongside 10 other critical security checks — free, in under 60 seconds.
Scan my app free →