I Scanned 30 Lovable Apps This Month. Here Are the 5 Security Issues I Found in Almost Every One

I run security scans on vibe-coded apps. This month I looked at 30 apps built with Lovable, and the same five issues appeared in nearly every one. These are not theoretical risks. They are things any user with browser DevTools could exploit in under five minutes. 1. Supabase RLS policies that check role instead of ownership This was in roughly 80% of apps that use Supabase. The AI generates a Row Level Security policy like this: CREATE POLICY "Users can view data" ON public . user_data FOR SELECT USING ( auth . role () = 'authenticated' ); This means any logged-in user can read every row in the table. Not just their own. Every user's data. The fix is one function call: auth.uid() = user_id instead of auth.role() = 'authenticated' . I wrote a full guide on checking and fixing this . 2. Supabase anon key + service role key in the JavaScript bundle Every Lovable app that uses Supabase ships the anon key in the client bundle. That part is expected and documented by Supabase. The problem: a