Is Lovable safe?
Is Lovable safe to ship?
Lovable turns a prompt into a working Supabase-backed app faster than almost any other tool. The question worth asking before you send traffic to it is whether the database behind that app is actually locked down.
What Lovable actually does well
Scaffolds a full working app, frontend, auth, and a real Postgres database, from a plain-language prompt in minutes.
Wires up the Supabase client library correctly, including session handling and the auth UI.
Iterates fast on follow-up prompts without breaking the parts that already work.
The gap
The gap: row-level security is off by default
Lovable creates your tables through its Supabase integration, but it does not ask whether those tables should be locked down before it ships them. Supabase's public anon key is meant to be visible in the browser, that part is fine by design. The problem is that without a row-level security (RLS) policy on a table, that same anon key lets anyone query it directly through the REST API, no login required. CVE-2025-48757 documented this exact pattern across 170 of 1,645 scanned Lovable apps. A separate scan of 66 live AI-built apps, covered in our data report below, found the same gap in 41% of the Supabase-backed apps tested.
Check Lovable for this yourself right now
This takes about 60 seconds and does not require touching your Supabase dashboard.
- 01
Open your live Lovable app and open browser devtools (F12 or right-click, Inspect).
- 02
Go to the Network tab, reload the page, and find a request to a supabase.co domain.
- 03
Click that request and copy the value of the apikey header, this is your public anon key.
- 04
In a terminal, run: curl "https://<your-project>.supabase.co/rest/v1/<table-name>?select=*&limit=1" -H "apikey: <anon-key>"
- 05
If rows come back, that table has no RLS policy blocking anonymous reads. If you get an empty array or a permissions error, it is protected.
Rather not do this by hand? The free Leak Check runs the anon-key probe and a client bundle scan against your live URL and gives you results in under a minute.
Run the free Leak Check →Where the numbers come from
We scanned 66 live apps built with Lovable, Bolt, Cursor, base44, and Tempo. 41% of the Supabase-backed apps had at least one table anyone could read with the public anon key. The full methodology and findings are in the data report.
Read the data report →