Defense in Depth for MCP Servers

Over the past few months, there’s been renewed discussion around the risks of connecting MCP servers to databases containing private data. A recent blog post by the team at General Analysis ran the headline “Supabase MCP can leak your entire SQL database.” They went on to show that if you spin up a Supabase instance with Row Level Security and a default MCP server accessed through Cursor you could create a scenario where a Stored Prompt Injection attack could be launched. They put instructions into data fields that would direct the MCP server to pull private data from the database and write it back to the text field the attacker was able to see when a developer used an AI agent to connect and read those fields. (full post here).

My initial reaction was to debate the MCP server setup but I realized that this is the new reality. Vibe coders are not creating separate Production and Staging environments, they are developing on production databases.

Simon Willison first raised the issue in June of this year with his blog post on The Lethal Trifecta. He described this as bringing Access to Private Data together with the Ability to Externally Communicate and Exposure to Untrusted Content or in technical terms:

Defense in Depth for MCP Servers

Related reading

Manifold Security Just Scored 7,700 MCP Servers. Here's Why That Number Should…

GitHub MCP Security Scanning: How AI Coding Agents Get an Immune System

200,000 MCP Servers Are Exposed. Here's Why Serverless Is Safer.

Announcing the Supabase Remote MCP Server

MCP command execution flaw: what security teams need to know

Securing AI agent credentials with MCP tunnels