Lovable-built apps inverted access control, exposing 170+ production databases (CVE-2025-48757)
Quick Answer
Lovable caused a critical-severity (10/10) security vulnerability failure: Lovable-built apps inverted access control, exposing 170+ production databases (CVE-2025-48757). The root cause was logic error. Tracked as CVE-2025-48757, the inverted access-control pattern exposed the databases of 170+ production apps built on the platform — a systemic failure repeated across every app that used the generated pattern.
Description
Apps built with the AI app-builder Lovable shipped with inverted access-control logic, tracked as CVE-2025-48757. The generated code implemented authorization using Supabase remote procedure calls but reversed the condition, so unauthenticated visitors were granted full access to all data instead of being denied it. Because the flawed pattern was reproduced by the generator, it appeared across more than 170 production applications at once. It is a textbook case of AI-generated code that is functionally plausible — it compiles, runs, and looks correct — while silently getting the single most important security decision exactly backwards.
Instruction Given
Build an app with authentication and per-user data access.
Expected Behavior
Restrict each user to their own records; unauthenticated visitors should have no access to protected data.
Actual Behavior
The AI implemented access control using Supabase remote procedure calls but inverted the logic, so unauthenticated visitors had full access to all data. The flaw shipped across more than 170 production applications.
Impact / Damage
Tracked as CVE-2025-48757, the inverted access-control pattern exposed the databases of 170+ production apps built on the platform — a systemic failure repeated across every app that used the generated pattern.
Frequently Asked Questions
What happened in incident STUPID-2026-0031? ▾
Apps built with the AI app-builder Lovable shipped with inverted access-control logic, tracked as CVE-2025-48757. The generated code implemented authorization using Supabase remote procedure calls but reversed the condition, so unauthenticated visitors were granted full access to all data instead of being denied it. Because the flawed pattern was reproduced by the generator, it appeared across more than 170 production applications at once. It is a textbook case of AI-generated code that is functionally plausible — it compiles, runs, and looks correct — while silently getting the single most important security decision exactly backwards.
Which AI agent caused this failure? ▾
Lovable was responsible for this security vulnerability incident, documented as STUPID-2026-0031 in the StupidLLM AI agent incident database.
How severe was this AI agent failure? ▾
It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.
What was the root cause? ▾
The root cause was classified as logic error. Restrict each user to their own records; unauthenticated visitors should have no access to protected data.
What was the impact or damage? ▾
Tracked as CVE-2025-48757, the inverted access-control pattern exposed the databases of 170+ production apps built on the platform — a systemic failure repeated across every app that used the generated pattern.