Lovable, Bolt, v0: What Security Research Reveals About AI App Builders

AI app builders promise to turn ideas into working applications in minutes. Lovable, Bolt, and v0 are three of the most popular platforms. But a growing body of security research — from independent researchers, security companies, and the platforms themselves — is revealing consistent patterns in how these tools handle (or don't handle) security.

This isn't speculation. There are published CVEs, peer-reviewed analyses, and documented incidents. Here's what the research shows.

Lovable: CVE-2025-48757 and the RLS Problem

In 2025, security researchers from Superblocks discovered that Lovable-generated applications had a systematic row-level security (RLS) misconfiguration in their Supabase databases. The vulnerability, assigned CVE-2025-48757, exposed over 170 companies and their applications.

The issue: Lovable generated functional Supabase integrations but didn't properly configure RLS policies. Unauthenticated attackers could read and write to the databases of affected apps — full access to user data, application state, everything. The vulnerability wasn't in one app; it was in the pattern Lovable used to generate database configurations.

Cybernews reported that Lovable's built-in security scan — the one that runs before publishing — only catches vulnerabilities 66% of the time. That means a third of security issues ship to production even when developers use the platform's own safety checks.

Bolt: The Scanner That Missed

OX Security published a whitepaper in 2025 testing AI app builders (Lovable, Base44, and Bolt) by generating applications and then running security assessments against them. Their finding on Bolt was stark: Bolt's built-in security scanner failed to identify vulnerabilities that OX's testing found.

This is a critical distinction. It's not just that Bolt generates code with vulnerabilities — all AI builders do. It's that Bolt's own security checks don't catch the issues, giving developers false confidence that their app has been reviewed.

The Shared Patterns Across All Three

Across the published research, the same categories of vulnerability appear regardless of which platform generated the code:

• No security headers — none of the platforms add CSP, HSTS, or X-Frame-Options by default
• Missing server-side authorization — APIs return data based on resource ID without checking the requesting user's permissions
• Client-side-only validation — form validation exists in the UI but the API accepts anything
• No rate limiting — authentication endpoints accept unlimited requests
• Over-permissive database access — the pattern behind CVE-2025-48757 isn't unique to Lovable; it's how AI tools approach database configuration generally

Why Platform Security Scans Aren't Enough

Both Lovable and Bolt offer built-in security checks. The research shows these aren't reliable. Lovable's catches 66% of issues. Bolt's missed vulnerabilities entirely in OX's testing. These scans check for surface-level issues but don't perform the kind of deep testing that catches authorization flaws, business logic issues, or configuration problems.

The platforms are improving — Lovable patched the RLS issue after disclosure, and all three platforms have been updating their security defaults. But the fundamental tension remains: these tools optimize for speed and functionality, not security.

What This Means If You're Building with These Tools

None of this means you shouldn't use AI app builders. The vulnerabilities they produce are predictable, well-documented, and testable. The research consistently shows the same categories of issues, which means the same scan catches problems across all three platforms.

What the research does mean: don't rely on the platform's built-in security checks. Run an independent scan after building. The vulnerabilities are real, the CVEs are published, and the fixes are straightforward once you know what to look for.