Lovable Vulnerability Explained: How 170+ Apps Were Exposed

The Lovable vulnerability, identified as CVE-2025-48757, was discovered by Matt Palmer and was caused by a row-level security (RLS) misconfiguration affecting 303 endpoints across 170 apps, allowing unauthenticated attackers to access sensitive data. The flaw was systemic in AI-assisted platforms with client-driven architectures, exposing user data like emails, phone numbers, and API keys through public API keys without proper server-side checks. Lovable's response, including a new security scan feature, was criticized for its inadequacy as it failed to confirm the effectiveness of RLS policies. The security lapse highlighted the need for SaaS platforms to implement secure-by-default configurations and for developers to rigorously test and audit applications. Community reactions were largely negative, with many advising against using Lovable for sensitive data handling due to its security shortcomings. The incident underscored the importance of robust security practices in both platform design and app development, especially in low-code and AI-assisted environments where default settings can propagate vulnerabilities.