It turns out that sites created with 'Lovable,' a service that allows users to create websites with AI, have a security flaw that leaks users' API keys, email addresses, etc.



It has been revealed that many of the products created by

Lovable , a service that allows users to create web apps and websites using AI, contain flaws that could expose sensitive information such as users' names and email addresses.

Statement on CVE-2025-48757
https://mattpalmer.io/posts/statement-on-CVE-2025-48757/



CVE-2025-48757

https://mattpalmer.io/posts/CVE-2025-48757/

The hottest new vibe coding startup Lovable is a sitting duck for hackers | Semafor
https://www.semafor.com/article/05/29/2025/the-hottest-new-vibe-coding-startup-lovable-is-a-sitting-duck-for-hackers

Developer Matt Palmer revealed a vulnerability in Lovable that sometimes fails to implement a basic security setting called ' row-level security (RLS) '. This could allow sensitive user data to be leaked from apps built with Lovable, and could allow attackers to inject malicious data into the apps.

Palmer first discovered this vulnerability on a site called ' Linkable .' Linkable was a site built by Lovable, a service that allowed users to create their own website by paying $2 (about 300 yen) and entering the URL of their LinkedIn profile. According to Palmer, there was a mistake in the design of Lovable, and the external service called Supabase, which was used to build the website's database, was not well controlled, leaving the email addresses of about 500 people who used Linkable visible to anyone.



After finding the vulnerability in Linkable, Palmer conducted further research by scanning 1,645 web apps created using Lovable, and found that 170 web apps had the same issue, exposing users' names, email addresses, financial information, API keys, and more.

When Palmer reported the problem to Lovable, Lovable announced that it had taken measures, but since these were not fundamental measures to check the accuracy of the code or its consistency with the logic, as of May 29, 2025, the problem has not been substantially resolved.



'We urge users to notify themselves and take immediate steps to prevent a system-wide data breach,' Palmer said.

Related Posts:

in Web Application,   Security, Posted by log1p_kr