diff --git a/routers/exam/templates.py b/routers/exam/templates.py
index adaa931..c80909e 100644
--- a/routers/exam/templates.py
+++ b/routers/exam/templates.py
@@ -322,8 +322,12 @@ async def get_template_source_pdf(
         except ValueError:
             raise HTTPException(status_code=404, detail="Template source not found")
     elif template.get("source_file_id"):
+        # Resolve the file row via service role (authz already done above: the caller proved they
+        # can see this template, and source_file_id is the template's own file). Reading `files`
+        # as-the-user trips a pre-existing broken RLS policy on cabinet_memberships
+        # (42P17 infinite recursion) — documented service-role exception, like the catalogue lookup.
         file_row = _first(
-            ctx.supabase.table("files")
+            SupabaseServiceRoleClient().supabase.table("files")
             .select("bucket, path, mime_type, name")
             .eq("id", template["source_file_id"])
             .limit(1)