Researchers showed that a developer using Cursor with the Supabase MCP server could become a data-exfiltration vector: an attacker files a support ticket containing hidden instructions, and when the developer's AI assistant later reads it with service-role privileges, it executes attacker-directed SQL that bypasses row-level security and writes private data back into the ticket. The disclosure became a textbook example of the 'lethal trifecta' — private data access, untrusted input, and an exfiltration path.
Production databases connected via MCP with elevated privileges were exfiltratable, prompting Supabase to promote read-only mode and publish defense-in-depth guidance.
Least-privilege read-only credentials for agents and prompt-injection scanning of untrusted data entering agent context break the exfiltration chain.
Guardion enforces policy on every agent action inline — with visibility, tamper-evident evidence, and DLP for agents and MCPs.
Request a demo