Supabase, an open-source Backend-as-a-Service, has a significant vulnerability called SupaPwn that allows attackers to escalate from a regular user account to controlling other instances within the same region. Hacktron Research identified this vulnerability chain in just three days using their AI-powered Hacktron CLI tool. The vulnerability chain involves several key weaknesses: a flaw in Supautils and the postgres_fdw extension lets users become Postgres superusers; this privilege allows executing shell commands on the host; a misconfigured SUID binary enables escalation to root access; and finally, access to orchestration credentials compromises database instances in the area. The vulnerability only affected a small fraction of database instances (0.000625%) running on deprecated infrastructure that was in the process of being upgraded. The security teams at Supabase and Lovable acted quickly, resolving the issue within a day, highlighting effective collaboration in responsible disclosure. Hacktron plans to make the Hacktron CLI public, aiming to equip developers and security teams with tools to find vulnerabilities more easily, similar to writing code with AI. During the research, the author attempted to uncover vulnerabilities in Lovable's new cloud feature, which relies on Supabase. Initially, access to the database was limited to a read-only role, but upon further investigation, the author discovered migration permissions tied to a high-privilege user account. By exploiting this, they managed to extract user credentials from the database. Despite making significant progress, further collaboration with Lovable’s security team ultimately led to a more in-depth understanding of the vulnerabilities present and the security measures in place.