// Lovable security

Is your Lovable app leaking user data? find out free.

Lovable builds fast on Supabase — but the default setup often ships with Row Level Security off, which means anyone with your public key can read every row in your database. That's the exact gap behind CVE-2025-48757.

Scan your Lovable app now — free, ~60 seconds, no signup.

Lovable generates a React front-end backed by Supabase. To talk to the database from the browser, it embeds your Supabase project URL and anon (public) key directly in the page — which is by design and safe *only if* Row Level Security (RLS) is switched on for every table.

When RLS is off — which is the default state for many tables — that public key becomes a skeleton key. Anyone can open the network tab, copy it, and query your tables directly: users, orders, messages, everything. No login, no exploit, no skill required.

~70%

of Lovable apps ship with RLS disabled on at least one table

Beesoul / Retool analysis

10.3%

of analysed Lovable projects were affected by CVE-2025-48757

Matt Palmer, May 2025 (303 endpoints across 170 projects)

18,697

users exposed in a single Lovable app via inverted auth

Lovable Exam App disclosure

What goes wrong on Lovable

Row Level Security off (CVE-2025-48757)

The flagship Lovable risk. With RLS disabled, your Supabase anon key lets anyone read or write any table. We probe common tables (users, profiles, orders, messages…) with your public key and flag any that return rows.

Supabase anon key in the bundle

Lovable puts the anon key in client JavaScript — that's expected. The danger is when it's paired with missing RLS or, worse, a leaked service_role key (which bypasses RLS entirely).

Auth checks only on the front-end

Generated apps often hide pages with client-side routing but never enforce access server-side. Anyone can call the underlying Supabase query directly and skip the UI gate.

Public storage buckets

File uploads can land in a Supabase bucket that's world-readable, exposing receipts, IDs, and user uploads to anyone with the URL pattern.

Your Lovable security checklist

  • RLS is enabled on every table — not just the ones you remembered
  • No service_role key anywhere in the client bundle
  • Auth is enforced in RLS policies, not just hidden in the UI
  • Storage buckets are private unless they truly need to be public
  • Security headers (CSP, HSTS) are set on the deployed app
  • No API keys for Stripe, OpenAI, etc. hard-coded in the front-end

Lovable security FAQ

Is Lovable secure by default?

Lovable's generated code is functional, but security defaults like Row Level Security are not always enabled per table. The most common real-world issue is RLS being off, which exposes your whole database through the public anon key. You have to turn RLS on and write policies yourself.

What is CVE-2025-48757?

It's the vulnerability class where Lovable (and similar Supabase apps) ship with missing or misconfigured Row Level Security, letting anyone read other users' data using the public key. Analysis found ~10% of scanned Lovable projects affected.

How do I check my Lovable app?

Run a free scan with bleek — paste your app URL and we'll probe for exposed tables, leaked keys, and missing headers in about a minute, then give you a copy-paste fix for each issue.

Find your Lovable app's leaks now.

Free scan, real findings, a copy-paste fix for each one. No signup.