Lovable Database Row-Level Security Vulnerability Allows Unauthorized Data Access and Modification
Vulnerability
A vulnerability exists in Lovable projects deployed through April 15, 2025, due to inadequate default Row-Level Security (RLS) policies. This flaw enables remote, unauthenticated attackers to read from or write to arbitrary database tables via direct client access to database endpoints, using the unprivileged 'anon' key. The vulnerability arises because the default RLS configurations do not align with the necessary security requirements, particularly for tables containing sensitive information. As a result, attackers can exploit these public Postgres endpoints to access Personally Identifiable Information (PII), credentials, and financial data, or inject malicious data into the database.
Impact
Exploitation of this vulnerability can lead to significant data breaches and unauthorized modifications. Attackers can access and potentially alter a wide range of sensitive information, including PII from users, API keys and access tokens for third-party services, and financial data such as transaction and subscription details.
Reproduction
To reproduce this vulnerability, deploy a Lovable project that uses an external database and was created on or before April 15, 2025. Once the project is live, inspect the database tables for RLS policy adequacy, particularly those that store sensitive information. If RLS is not properly configured, the project can be exploited by sending crafted HTTP requests to the public Postgres endpoints, bypassing data access restrictions and accessing or modifying sensitive data.
Remediation
Users are advised to review and enforce proper RLS policies in their databases. This includes enabling RLS on all tables, defining granular RLS policies that adhere to the principle of least privilege, and regularly auditing RLS configurations to ensure they remain effective. For tables with sensitive and non-sensitive data, separate tables should be used or server-side technologies implemented to manage access control.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.