A critical vulnerability in the popular Lovable low-code platform has left hundreds of projects exposed to data breaches and malicious attacks. The flaw, identified as CVE-2025-48757, allows remote unauthenticated attackers to bypass Row-Level Security (RLS) policies and access sensitive user information, including personally identifiable information (PII) and credentials.
The vulnerability, discovered by security researcher Matt Palmer on March 20, 2025, affects all Lovable versions through April 15, 2025. With a severe CVSS score of 9.3, the flaw stems from misaligned RLS policies between frontend logic and backend enforcement in Lovable’s client-heavy architecture, which relies on platforms like Supabase for authentication and data storage.
Source: Pexels Image
The attack vector is particularly alarming as it allows threat actors to bypass client-side authentication checks by modifying network queries, exposing full tables of user data. This security breakdown impacts high-profile sites like Linkable, a platform that auto-generates websites from LinkedIn profiles, putting countless users’ personal information at risk.
According to Palmer, “Applications developed using its platform often lack secure RLS configurations, allowing unauthorized actors to access sensitive user data and inject malicious data.” The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory urging organizations using Lovable to update their applications and review RLS policies to mitigate the risk of data exposure and malicious attacks.
As low-code platforms gain popularity for their ease of use and rapid application development, this vulnerability highlights the critical importance of proper security configurations and thorough testing. Developers and organizations must prioritize security best practices, including secure authentication, granular access controls, and regular security audits, to protect sensitive user data from falling into the wrong hands.
