Lovable, a Sweden-based AI-powered coding platform, reportedly contained critical security vulnerabilities.
Matt Palmer, who handles developer relations at Replit, a competing AI coding platform headquartered in the United States, and his colleague discovered the vulnerability in Lovable’s implementation of Row Level Security (RLS) policies in March. Palmer published his findings in a blog post on Thursday.
“Applications developed using its platform often lack secure RLS configurations, allowing unauthorised actors to access sensitive user data and inject malicious data,” said Palmer. RLS is a way to ensure that application users can only see and modify data they should have access to.
Palmer found these vulnerabilities while examining an app called Linkable, which was built using Lovable to generate websites from LinkedIn profiles. He also noted that applications built on Lovable depend on external services for backend tasks like authentication and data storage. This transfers the security responsibility to the application’s creator, but not Lovable.
“However, misaligned RLS policies between the client-side logic and backend enforcement frequently result in vulnerabilities, where attackers can bypass frontend controls to directly access or modify data,” he added.
Lovable was quick to introduce a ‘security scanner’, but Palmer said that it merely checks for the existence of any RLS policy, and not its correctness. “This provides a false sense of security, failing to detect the misconfigurations that expose data,” he added.
Palmer has also published the records for the common vulnerability exposures (CVE) that he found. To determine whether it was an isolated vulnerability with just Linkable, Palmer examined a list of apps developed by Lovable. “Access to the list of these sites was gained by manipulating an endpoint on the launched site itself, which also lacked RLS,” he added.
AUTOMATED SCAN FINDINGS
The scan, completed on March 21st, identified 303 endpoints across 170 projects (approximately 10.3% of the 1645 analyzed) with inadequate RLS settings. This indicates widespread RLS misapplication, potentially highlighting systemic issues in Lovable’s… pic.twitter.com/sN8QlqWdhx
— matt palmer (@mattppal) May 29, 2025
He added a timeline of events post his discovery of the vulnerability.
“Vibe coding empowers new devs—but that means platforms must ship secure defaults,” said Amjad Masad, CEO of Replit. “We owe it to the community. Proud of the team for how they handled this vulnerability disclosure,” he added.
Furthermore, Jason Liu, an independent AI consultant, said on X that when he first tried Lovable, his first feedback to the CEO was about RLS.
Lovable Responds
Hours after Palmer disclosed the issues, Lovable released a statement on X: “We’re working towards making Lovable the most secure place to build software.”
Lovable also said that it has shipped security improvements recently, including detecting incorrect RLS usage, deep code security reviews, and warnings to notify users when they paste API keys in the chat.
To address the RLS issues, Lovable said, “We’ve incorporated Supabase’s [a backend integration tool] Security Advisor directly into the Lovable editor. It will notify you of obvious security issues based on heuristics.”
However, Lovable also mentioned that Supabase’s security advisor may sometimes miss incorrect RLS usage. “To mitigate this, we’ve added a deep code security review that leverages AI to analyse your app for potential security issues and suggest a plan on how to fix them,” said Lovable.
This is said to identify RLS issues and tackle other vulnerabilities, such as code injection, cross-site scripting, or authentication flow weaknesses. The security reviewer employs advanced reasoning to understand the app’s intended functionality.
“Lovable is now significantly better at building secure apps than a few months ago and this is improving quickly,” said Lovable.
“That being said, we’re not yet where we want to be in terms of security and we’re committed to improving the security posture for all Lovable users.”
No Vibes Without Security
While using natural language for coding, or ‘vibe coding,’ offers a simplified experience for non-technical individuals to write programs, security must also be prioritised.
While Palmer discovered vulnerabilities in Lovable last month, he also shared a checklist to help users maintain security while using these platforms.
He further advised users to implement various secure processes in their workflow, in both front-end and back-end operations.
These include enforcing HTTPS, sanitising user input, preventing credential exposure, authenticating APIs, securing cookies, updating dependencies, and applying protective headers, thus ensuring robust overall security.
A checklist for secure vibe coded apps.
Putting things on the internet is kind of like parking your car in San Francisco—there’s inherent risk.
Luckily, there are some straightforward things you can do to minimize those risks. Here are 16 simple things to make secure vibe… pic.twitter.com/AGdEHRlM4D
— matt palmer (@mattppal) April 11, 2025
This approach indicates that users creating apps on these platforms must incorporate security practices into their workflow rather than solely rely on developers.
The post When Replit Employees Found a Critical Security Vulnerability in Lovable appeared first on Analytics India Magazine.
