Critical Vulnerability in Lovable's Security Policies Allows Malicious Code Injection

Security researchers have uncovered a widespread vulnerability in Lovable’s AI-powered development platform that exposes sensitive user data and enables malicious code injection across hundreds of applications.

The critical vulnerability, discovered on March 20, 2025, affects the platform’s implementation of Row Level Security (RLS) policies, potentially compromising personal information of thousands of users.

The security breach was first identified while examining Linkable, a Lovable-built website for generating profiles from LinkedIn data.

Researchers discovered that modifying simple database queries granted unauthorized access to all user data in the project’s database tables.

When initially reported on Lovable’s Twitter account, the company denied the issue and subsequently deleted both their response tweets and the vulnerable site.

Further investigation revealed the scope extends far beyond a single application.

Researchers developed an automated scanning tool that analyzed 1,645 projects from Lovable’s showcase platform, “Lovable Launched ...