STUPID-2026-0031 Severity 10/10 — CRITICAL Verified

Lovable-built apps inverted access control, exposing 170+ production databases (CVE-2025-48757)

Agent: lovable Domain: backend
Failure Mode
Security Vulnerability
Root Cause
Logic Error
Task Type
Feature
Reproducible
No

Quick Answer

Lovable caused a critical-severity (10/10) security vulnerability failure: Lovable-built apps inverted access control, exposing 170+ production databases (CVE-2025-48757). The root cause was logic error. Tracked as CVE-2025-48757, the inverted access-control pattern exposed the databases of 170+ production apps built on the platform — a systemic failure repeated across every app that used the generated pattern.

Description

Apps built with the AI app-builder Lovable shipped with inverted access-control logic, tracked as CVE-2025-48757. The generated code implemented authorization using Supabase remote procedure calls but reversed the condition, so unauthenticated visitors were granted full access to all data instead of being denied it. Because the flawed pattern was reproduced by the generator, it appeared across more than 170 production applications at once. It is a textbook case of AI-generated code that is functionally plausible — it compiles, runs, and looks correct — while silently getting the single most important security decision exactly backwards.

Instruction Given

Build an app with authentication and per-user data access.

Expected Behavior

Restrict each user to their own records; unauthenticated visitors should have no access to protected data.

Actual Behavior

The AI implemented access control using Supabase remote procedure calls but inverted the logic, so unauthenticated visitors had full access to all data. The flaw shipped across more than 170 production applications.

Impact / Damage

Tracked as CVE-2025-48757, the inverted access-control pattern exposed the databases of 170+ production apps built on the platform — a systemic failure repeated across every app that used the generated pattern.

Share this incident

Help others know about this AI agent failure

Source: News Report View source Reported May 1, 2025

Frequently Asked Questions

What happened in incident STUPID-2026-0031?

Apps built with the AI app-builder Lovable shipped with inverted access-control logic, tracked as CVE-2025-48757. The generated code implemented authorization using Supabase remote procedure calls but reversed the condition, so unauthenticated visitors were granted full access to all data instead of being denied it. Because the flawed pattern was reproduced by the generator, it appeared across more than 170 production applications at once. It is a textbook case of AI-generated code that is functionally plausible — it compiles, runs, and looks correct — while silently getting the single most important security decision exactly backwards.

Which AI agent caused this failure?

Lovable was responsible for this security vulnerability incident, documented as STUPID-2026-0031 in the StupidLLM AI agent incident database.

How severe was this AI agent failure?

It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.

What was the root cause?

The root cause was classified as logic error. Restrict each user to their own records; unauthenticated visitors should have no access to protected data.

What was the impact or damage?

Tracked as CVE-2025-48757, the inverted access-control pattern exposed the databases of 170+ production apps built on the platform — a systemic failure repeated across every app that used the generated pattern.