VBS-2026-0018CRITICALCVSS 9CWE-863

Lovable generated app authorization gap (CVE-2025-48757, disputed)

A disputed CVE class describing insufficient Supabase RLS in generated apps that could allow unauthenticated reads/writes when policies were missing.

Published

2025-05-29

Discovered By

NVD / public disclosures

CVSS Score

9 / 10

Affected AI Platforms

Lovable

Affected Tech Stack

Supabase generated schemasMissing RLS policies

Remediation

Enforce RLS-by-default and block deploys that lack strict table policies.

#lovable#supabase#rls#authorization#disputed-cve

References

https://nvd.nist.gov/vuln/detail/CVE-2025-48757

Check if your app is vulnerable to VBS-2026-0018

PolyDefender detects this and dozens of other AI-specific vulnerability patterns.

FAQ

How do I check if my Supabase generated schemas + Missing RLS policies app is affected by lovable generated app authorization gap (CVE-2025-48757, disputed)?

A disputed CVE class describing insufficient Supabase RLS in generated apps that could allow unauthenticated reads/writes when policies were missing.. Search your codebase for Supabase generated schemas, Missing RLS policies patterns and verify the remediation has been applied. This is rated CVSS 9 — treat it as a live incident if your app is already in production.

Why does Lovable generate code with CWE-863 (critical severity)?

A disputed CVE class describing insufficient Supabase RLS in generated apps that could allow unauthenticated reads/writes when policies were missing.

How do I fix lovable generated app authorization gap (CVE-2025-48757, disputed)?

Enforce RLS-by-default and block deploys that lack strict table policies.

What is CVE-2025-48757 and how does it affect Lovable projects?

CVE-2025-48757 is a critical severity CVE with a CVSS score of 9, affecting Lovable. A disputed CVE class describing insufficient Supabase RLS in generated apps that could allow unauthenticated reads/writes when policies were missing..