2025-07
Prompt Injection
Supabase

Supabase MCP prompt injection lets attackers dump SQL databases

What happened

Researchers showed that a developer using Cursor with the Supabase MCP server could become a data-exfiltration vector: an attacker files a support ticket containing hidden instructions, and when the developer's AI assistant later reads it with service-role privileges, it executes attacker-directed SQL that bypasses row-level security and writes private data back into the ticket. The disclosure became a textbook example of the 'lethal trifecta' — private data access, untrusted input, and an exfiltration path.

Impact

Production databases connected via MCP with elevated privileges were exfiltratable, prompting Supabase to promote read-only mode and publish defense-in-depth guidance.

How this could have been prevented

Least-privilege read-only credentials for agents and prompt-injection scanning of untrusted data entering agent context break the exfiltration chain.

Sources

More prompt injection incidents

Would runtime governance have caught this?

Guardion enforces policy on every agent action inline — with visibility, tamper-evident evidence, and DLP for agents and MCPs.

Request a demo