A severe security vulnerability, designated as CVE-2025-48757, has been discovered in Lovable’s implementation of Row Level Security (RLS) policies, allowing attackers to bypass authentication controls and inject malicious data into applications built on the platform.
The vulnerability, first identified on March 20, 2025, affects hundreds of projects and exposes sensitive user information, including personal data, API keys, and financial records.
Lovable RLS Implementation Vulnerability
According to Matt Palmer, the core vulnerability stems from Lovable’s inadequate implementation of Row Level Security policies in its client-driven architecture.
.png
)
Applications developed using the platform frequently deploy with misconfigured or entirely absent RLS configurations, creating a critical security gap between frontend controls and backend enforcement.
This architectural flaw allows unauthorized actors to bypass client-side restrictions and directly access database tables through modified SQL queries.
The vulnerability was initially discovered during an examination of Linkable, a Lovable-built website for generating profiles from LinkedIn data.
Network request analysis revealed that simple query modifications could grant unrestricted access to the entire “users” table through SELECT * operations that should have been blocked by properly configured RLS policies.
When Matt Palmer highlighted this issue on Lovable’s Twitter account, the company initially denied the problem before subsequently deleting their responses and temporarily removing the affected site.
Lovable’s client-driven architecture inherently shifts security responsibilities to application implementers, but the platform’s default configurations and guidance fail to ensure secure RLS deployment.
The company’s introduction of a “security scanner” feature proves inadequate, as it merely verifies the existence of RLS policies without validating their correctness or alignment with application logic, creating a false sense of security for developers.
To assess the scope of the vulnerability, researcher developed an automated scanning script that analyzed projects featured on Lovable Launched, the platform’s showcase of polished applications.
The script systematically visited homepages, captured external network requests, and attempted to modify endpoints to execute unauthorized SELECT * operations that properly configured RLS would prevent.
The comprehensive scan of 1,645 projects identified 303 vulnerable endpoints across 170 applications, representing approximately 10.3% of analyzed projects with inadequate RLS settings.
The exposed endpoints contained highly sensitive information, more critically, the scan revealed direct access to user data tables containing personal information, financial transactions, and subscription details via endpoints:
This widespread exposure indicates systemic issues in Lovable’s platform that predispose projects to insecure data storage configurations.
Persistent Data Injection Vulnerabilities
Follow-up testing conducted on May 24, 2025, revealed that the vulnerability extends beyond unauthorized data access to include malicious data injection capabilities.
Analysis of the Linkable site, actively maintained by a Lovable employee, demonstrated that removing authorization headers from HTTP requests could bypass all access controls by shifting the security context from authenticated to unauthenticated users.
Researchers successfully executed unauthorized write operations by issuing crafted POST requests to the /rest/v1/website_generation endpoint, including the injection of records with fabricated payment status values (“payment_status”: “paid”) that bypassed Stripe integration controls.
This capability enables attackers to manipulate application data, create fraudulent transactions, and potentially compromise the integrity of entire applications built on the platform.
While Lovable acknowledged the initial report on March 24, 2025, no meaningful remediation occurred, even after a Palantir engineer independently discovered and publicly disclosed similar vulnerabilities on April 14, 2025, which demonstrated active exploitation in the wild.
The persistence of these vulnerabilities despite prior notification and the implementation of Lovable’s “Security Scan” feature demonstrates fundamental architectural flaws that cannot be addressed through superficial security checks.
Users of Lovable-built platforms are advised to exercise extreme caution and review all data access controls.
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
