Matt Palmer

**Name of the Vulnerable Software and Affected Versions** Lovable versions prior to 2025-04-15 **Description** An insufficient database Row-Level Security (RLS) policy allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites. Row-Level Security is a database feature that restricts which rows of data a user can access based on their identity or role. In this case, missing or misconfigured RLS in Supabase databases used by AI-generated applications often exposes data publicly by default. Real-world incidents include the exposure of over 170 user-built applications, the exposure of 18,697 student records due to an inverted authentication check, and the exposure of 303 insecure endpoints. **Recommendations** For versions prior to 2025-04-15, developers must review and secure the Row-Level Security policies of their Supabase databases to ensure data is not exposed publicly. As a temporary mitigation, restrict access to the database tables and ensure that RLS is explicitly enabled for all tables containing sensitive user data.