Vibe coded Lovable-hosted app littered with basic flaws exposed 18K users
A security researcher found 16 vulnerabilities (6 critical) in a single Lovable-hosted app built by AI, exposing 18,000 users' data — highlighting the dangers of deploying vibe-coded apps without security review.
The Findings
Taimur Khan discovered that a Lovable-hosted app with 100,000+ views and 400+ upvotes had:
- 16 total vulnerabilities, 6 rated critical
- 18,000+ users whose data was exposed
- Users from top US universities including UC Berkeley and UC Davis
Root Cause: AI Optimizing for "Works" Over "Secure"
Lovable ships all apps with Supabase backends handling auth, storage, and database. The AI-generated code failed to implement:
- Row-level security in Supabase
- Role-based access control
- Proper authentication logic
A classic example: an access control function was logically inverted — blocking authenticated users and allowing unauthenticated access. The AI "optimizing for code that works" produced a backwards guard that a human reviewer would catch in seconds.
The Broader Problem
The Lovable platform explicitly states users are responsible for addressing security issues flagged before publishing. But when AI-generated code looks functional but contains fundamental security flaws, non-technical users have no way to evaluate the risk.
This case demonstrates that vibe-coded applications need rigorous security auditing before production deployment — especially when handling sensitive user data.
Source: The Register