diff --git a/supabase/migrations/20251104151915_ab4e6a7a-cd0c-46f4-be81-109db74c6c47.sql b/supabase/migrations/20251104151915_ab4e6a7a-cd0c-46f4-be81-109db74c6c47.sql
new file mode 100644
index 00000000..444165e7
--- /dev/null
+++ b/supabase/migrations/20251104151915_ab4e6a7a-cd0c-46f4-be81-109db74c6c47.sql
@@ -0,0 +1,72 @@
+-- Fix RLS policies to use block_aal1_with_mfa() instead of direct auth.mfa_factors queries
+-- This resolves "permission denied for table mfa_factors" errors
+
+-- ==========================================
+-- submission_items policies
+-- ==========================================
+
+DROP POLICY IF EXISTS "Moderators can delete submission items" ON public.submission_items;
+CREATE POLICY "Moderators can delete submission items"
+ON public.submission_items FOR DELETE
+TO authenticated
+USING (is_moderator(auth.uid()) AND block_aal1_with_mfa());
+
+DROP POLICY IF EXISTS "Moderators can insert submission items" ON public.submission_items;
+CREATE POLICY "Moderators can insert submission items"
+ON public.submission_items FOR INSERT
+TO authenticated
+WITH CHECK (is_moderator(auth.uid()) AND block_aal1_with_mfa());
+
+-- ==========================================
+-- park_submissions policies
+-- ==========================================
+
+DROP POLICY IF EXISTS "Moderators can delete park submissions" ON public.park_submissions;
+CREATE POLICY "Moderators can delete park submissions"
+ON public.park_submissions FOR DELETE
+TO authenticated
+USING (is_moderator(auth.uid()) AND block_aal1_with_mfa());
+
+DROP POLICY IF EXISTS "Moderators can update park submissions" ON public.park_submissions;
+CREATE POLICY "Moderators can update park submissions"
+ON public.park_submissions FOR UPDATE
+TO authenticated
+USING (is_moderator(auth.uid()) AND block_aal1_with_mfa());
+
+DROP POLICY IF EXISTS "Moderators can view all park submissions" ON public.park_submissions;
+CREATE POLICY "Moderators can view all park submissions"
+ON public.park_submissions FOR SELECT
+TO authenticated
+USING (is_moderator(auth.uid()) AND block_aal1_with_mfa());
+
+-- ==========================================
+-- ride_submissions policies
+-- ==========================================
+
+DROP POLICY IF EXISTS "Moderators can delete ride submissions" ON public.ride_submissions;
+CREATE POLICY "Moderators can delete ride submissions"
+ON public.ride_submissions FOR DELETE
+TO authenticated
+USING (is_moderator(auth.uid()) AND block_aal1_with_mfa());
+
+DROP POLICY IF EXISTS "Moderators can update ride submissions" ON public.ride_submissions;
+CREATE POLICY "Moderators can update ride submissions"
+ON public.ride_submissions FOR UPDATE
+TO authenticated
+USING (is_moderator(auth.uid()) AND block_aal1_with_mfa());
+
+DROP POLICY IF EXISTS "Moderators can view all ride submissions" ON public.ride_submissions;
+CREATE POLICY "Moderators can view all ride submissions"
+ON public.ride_submissions FOR SELECT
+TO authenticated
+USING (is_moderator(auth.uid()) AND block_aal1_with_mfa());
+
+-- ==========================================
+-- photo_submissions policies
+-- ==========================================
+
+DROP POLICY IF EXISTS "Moderators can delete photo submissions" ON public.photo_submissions;
+CREATE POLICY "Moderators can delete photo submissions"
+ON public.photo_submissions FOR DELETE
+TO authenticated
+USING (is_moderator(auth.uid()) AND block_aal1_with_mfa());
\ No newline at end of file