Vibe Coding and Supabase Security Are the Same Problem

Vibe coding and Supabase security aren't two checklists, they're one. See why CVE-2025-48757 hit 170 of 1,645 apps and how to check your own app today.

Barret7 min read

If you searched "vibe coding supabase security," you're probably trying to figure out which article to read first: the one about vibe coding risks, or the one about Supabase risks. Here's the short answer: for most builders, they're the same article.

You didn't necessarily choose Supabase. If you built your app in Lovable, Bolt, v0, Replit, or a Cursor starter template, Supabase is almost certainly already running underneath it, wired in by default before you typed a single prompt about your database. So the question "is my vibe-coded app secure?" and the question "is my Supabase setup secure?" resolve to the same checklist, checked against the same tables.

This post is the bridge between those two worlds: why they collapsed into one problem, what happened when that problem went unchecked at scale, and how to check your own app in the next five minutes.

⚡ TL;DR

  • Supabase is the default backend for Lovable, Bolt, v0, Replit, and Cursor templates, so "vibe coding security" and "Supabase security" are, for most builders, literally the same checklist.
  • CVE-2025-48757 proved it: 170 of 1,645 scanned Lovable/Supabase apps (10.3%) leaked data through 303 endpoints, not because of a bug in Lovable or a bug in Supabase, but because of the combination.
  • The app worked perfectly the whole time. Missing Row Level Security (RLS) doesn't break anything visible, so nobody, human or AI, gets a signal that something is wrong.
  • You can check your own app for this specific failure mode in a couple of minutes. See "How to check your own app" below.

Why these are really one checklist, not two

"Vibe coding" is the umbrella term for building software by describing what you want in plain English and letting an AI tool generate the code. "Supabase" is a hosted Postgres backend, one of the most popular ways those AI tools give your app a database, authentication, and file storage without you writing backend code yourself.

Those two things sound like separate layers: one is how the app got built, the other is where the data lives. But look at what the major vibe-coding platforms actually ship by default. Lovable scaffolds a Supabase project automatically. Bolt and v0 offer Supabase as the one-click database. Replit and Cursor templates lean on it heavily too. Supabase itself reports around 10 million developers and 15.1 million databases created in 2025, and a large share of that growth is coming through these AI builders, not through developers hand-rolling a backend.

So if you vibe-coded an app and it has user accounts, a database, or file uploads, the odds are high your security surface is Supabase's security surface. There's no separate "vibe coding vulnerability" hiding somewhere else in the stack for most of these apps. The prompt-to-app pipeline and the database access-control layer are the same pipe.

The proof: CVE-2025-48757

This isn't a theory. It's a documented incident, and it's the clearest evidence that "vibe coding security" and "Supabase security" are one checklist: CVE-2025-48757, disclosed in May 2025, found 170 of 1,645 scanned Lovable/Supabase apps (10.3%) exposing data through 303 endpoints, all through the same pattern: a public anon key (not the bug) paired with missing or USING (true) Row Level Security (RLS) policies behind it (the bug). No login required to read data that was never meant to be public.

CVE-2025-48757 wasn't a Lovable bug in isolation, and it wasn't a Supabase bug in isolation. Lovable's generated apps worked; Supabase's access-control feature worked exactly as configured. The vulnerability was the combination: an AI builder that defaults to Supabase, paired with a generation process that doesn't reliably write RLS policies for every table it creates. That combination has since shown up again in other AI-generated apps, including a January 2026 incident where missing RLS on a Supabase-backed social app exposed roughly 1.5 million API keys and 35,000 user emails. Same root cause, different app.

Why the AI doesn't notice, and neither do you

Here's the part that makes this hard to catch by just using the app. An AI coding tool optimizes for "does this work when I test it?" A dashboard that lists every user's orders looks identical whether RLS is properly scoping each request to the logged-in user, or whether RLS is off entirely and quietly returning everyone's orders to everyone. The page renders. The data shows up. The demo works.

There is no functional signal that tells the AI, or the non-developer reviewing the output, that anything is wrong. A broken button gets noticed immediately because the app stops working. A missing RLS policy doesn't break the app; it just makes the app worse than it looks. That asymmetry, "it works" versus "it works safely," is the entire reason this failure mode is so common and so invisible until someone goes looking with the anon key from the outside, the way Palmer did.

How to check your own app

You don't need to be a developer to get a real answer here, and you don't need to touch your live database to do it.

  1. Open your app's page source or network tab and look for a Supabase URL (*.supabase.co) and an anon key. If you don't see one, your app may use a different backend; the checklist below still applies to whichever database it uses.
  2. In your Supabase dashboard, go to Authentication → Policies (or Table Editor, then the shield icon per table). Every table that holds user data should show RLS enabled with named policies, not a blank "no policies" state.
  3. Watch specifically for a policy written as USING (true). That approves every row for every request, which is functionally the same as RLS being off. It's the exact pattern behind CVE-2025-48757.
  4. If a table shows RLS disabled or a USING (true) policy and it holds anything beyond public, read-only content, treat it as the priority fix, not a someday task.

That manual check tells you about the tables you remembered to look at. It won't tell you about the table you forgot, the endpoint your AI tool generated on a prompt you don't remember making, or the policy that got silently reset on a later regeneration.

Not sure if your app has this exact issue?

Run a free, read-only scan of your live app: no install, results in under a minute.

Scan my app free →

The fix, and where to go deeper

Fixing a missing or overly permissive RLS policy is usually a short conversation with your AI tool, not a rebuild: describe exactly who should be able to read or write each table (only the row's owner, only authenticated users, nobody unauthenticated) and ask it to write and enable a matching policy, then verify the policy shows up enabled in the dashboard rather than trusting the chat transcript.

That's the fix in miniature. For the full picture, this post is deliberately the connective layer between two deeper guides worth reading next:

FAQ

Is Supabase itself insecure?

No. Supabase's access controls, including RLS, work as designed. CVE-2025-48757 and similar incidents happened because RLS wasn't turned on or was set too permissively for the app being built, not because Supabase's engine failed. The public anon key doing its job (letting the browser talk to the database) is normal; a table with no matching RLS policy is the gap.

I didn't choose Supabase. Why is this relevant to me?

Most vibe-coding platforms wire in Supabase by default when you ask for user accounts, a database, or file storage, often without naming it explicitly in the prompt flow. If your app has any of those features and you built it in Lovable, Bolt, v0, Replit, or a Cursor template, there's a good chance Supabase is already running underneath it.

Does this only affect apps with logins?

No. Public tables can be affected too, for example a table of leads, waitlist signups, or uploaded files that should be readable only by your app's backend but is instead readable by anyone with the anon key, because no RLS policy scopes it down.

The bottom line

"Vibe coding security" and "Supabase security" read like two separate search queries, but for most builders they point at the same tables, the same anon key, and the same missing RLS policy. CVE-2025-48757 showed what happens when that gap goes unchecked at scale: 170 apps, one shared root cause. An attacker (or a researcher, as it turned out) can find that gap in minutes. You should find it first, and check again after every deploy, because your AI ships new code, and sometimes new holes, every time you prompt it.

Find your gaps before an attacker does.

Is My Site Hackable? scans your deployed app for the exact issues in this article (exposed keys, missing RLS, open buckets) and tells you what's real and what's a false alarm.

Run a free scan →