Yesterday, security researcher Taimur Khan published findings that should worry every single person who's shipped a Lovable app.
16 vulnerabilities. 6 critical. 18,000+ users' personal data exposed. Including minors.
The platform's official response? "Security is the user's responsibility."
You trusted an AI platform to help you build something. The AI skipped basic security. And now the platform says that's your problem.
A Lovable-hosted app with over 100,000 views was found wide open. The AI-generated code never turned on row-level security in Supabase. The authentication logic was backwards. It blocked real users and let attackers get full access to user records, send bulk emails, delete accounts, view sensitive PII, etc. Ugly.
This isn't theoretical and the same kind of vulnerability could be sitting in your project right now.
We'd been building RLS auditing tooling for Lovable projects as part of our product. We weren't ready to ship it. Doesn't matter. A breach this bad can’t wait.
So we carved-out a simple, no-sign-up, rough-around-the-edges tool and open-sourced it.
It's called Vibe-Scanner Run it now.
https://github.com/SymbioticSec/vibe-scanner
Vibe-Scanner runs 62 detection rules against your project's Row Level Security (RLS) configuration and flags the exact class of vulnerabilities that caused this breach, including:
USING(true) or other logic that grants access to everyoneFORCE ROW LEVEL SECURITY on tablesIt works two ways: point it at your local SQL migration files, or connect it directly to your live Lovable database to see your actual deployed state — which catches even more. You can scan all your Lovable projects at once with a single command. Results are graded by severity: CRITICAL, HIGH, MEDIUM, LOW, and WARNING — so you know exactly what to fix first.
Vibe-Scanner is a read-only auditing tool. It detects and reports, but it does not modify your database, apply fixes, or patch your code.
If you find yourself vulnerable, we're temporarily giving free access to Symbiotic Code so you can remediate. Not a sales trick, just trying to be helpful without having to carve out a new tool from our product. Contact us.
By the way, this isn't just about Lovable. This is the canary in the coal mine for every AI coding tool.
AI-generated code is fast. It's also completely blind to security context. Unless something in the workflow actively enforces secure patterns, you get what happened here: code that looks fine on the surface and is completely exposed underneath.
The DORA report found a 7.2% decrease in delivery stability for every 25% increase in AI code usage. Nearly half of all AI-generated code contains vulnerabilities.
Telling developers to "review security before publishing" doesn't work when those developers chose AI tools because they're not security experts. That's the whole point.
You need security built into the generation process. Not bolted on after the damage is done.
Source: SC World - Lovable platform faces scrutiny over app vulnerabilities and data leak
