The Security Risks of Vibe-Coded Apps

Why do AI-built apps have a distinct security profile?

Traditional security risks come from developer error in code the developer understands. Vibe-coded risks come from a different source: an AI generating code that is functionally correct for the current prompt, without accounting for the security properties of the larger system. The model does not know whether RLS was enabled two prompts ago, whether an env variable is client-visible, or whether a form validates input server-side.

The result is a predictable set of gaps that appear across vibe-coded apps regardless of the specific AI builder used: access control is wired at the application layer (the UI shows only your data) but not enforced at the data layer (the database will return any data to any authenticated request); secrets are included in environment variables without distinguishing between client-safe and server-only credentials; and input validation exists in the browser but not in any server-side code that actually executes the write.

Risk 1: Is Row-Level Security missing on your tables?

The most structurally significant risk in Lovable-generated apps is that the database access-control layer — Supabase Row-Level Security — is often not configured, even when the application-layer routing correctly limits what a logged-in user sees in the UI. The UI filter and the database policy are completely separate controls: the UI filter is a convenience, the database policy is the actual security boundary.

In an April 2026 audit of 50 live Lovable apps, security researcher Tomer Goldstein found that 89% had Supabase Row-Level Security disabled (source: "Is Lovable Actually Secure? I Checked the Supabase RLS on 50 Apps," DEV.to, April 2026). Without RLS, any authenticated user — or anyone who obtains a valid JWT — can query every row in every table by calling the Supabase REST API directly, bypassing the app's UI entirely. The fix is straightforward: enable RLS on every user-data table and add the four-policy CRUD template described in the RLS best-practices guide.

Risk 2: Are your secrets exposed in client-visible code?

AI builders generate code that works — but they do not always distinguish between credentials that are safe in the browser and credentials that must stay on the server. The result is that secret-tier credentials end up in places where any user with a browser developer-tools tab can read them: NEXT_PUBLIC_ environment variables that bundle the value into client JS, shared utility modules imported in both server and client components, or hardcoded strings in React components.

The key distinction for Lovable apps: the Supabase anon key and third-party publishable keys are designed to be client-visible and are safe in the browser. The Supabase service_role key, Stripe secret key, and any signing secrets are not. A service_role key in client JS means any user can bypass all RLS and access your entire database directly. The fix is to move secret-tier credentials to Supabase Edge Functions, accessed via Deno.env.get() — never imported or hardcoded client-side.

Risk 3: Are you validating input only on the client?

AI builders generate forms with browser-side validation: required fields, format checks, length limits. This validation is necessary for user experience but is not a security control — it is trivially bypassed by any user who sends a request directly to your Supabase REST API or edge function endpoint, skipping the browser entirely. Unvalidated server-side input enables injection attacks, oversized payloads, and unexpected data formats that can corrupt your database or expose other users' data.

The fix in the Supabase ecosystem is to add validation inside Supabase Edge Functions for any operation that writes sensitive data: check length, validate format, confirm the user owns the resource they are modifying, and return an explicit error (not a stack trace) when validation fails. Supabase's database-level check constraints and NOT NULL constraints also provide a last-resort validation layer at the data level, independent of application code.

How does risk vary by app type?

The three core risks are present across all vibe-coded apps, but the severity of each depends heavily on what data the app handles. A personal todo app and a payments platform share the same structural gaps but face very different consequences. This table maps app type to risk severity to help you prioritise your remediation effort.

How do I systematically close these gaps?

The three risks above have direct mitigations that can be applied to any existing Lovable app. The order matters: close the data-layer gap first (RLS), because it affects every user-data table and cannot be patched by fixing client code. Then audit secrets (locate every credential, confirm which layer it lives in, move any that are in the wrong layer). Then add server-side validation to your highest-risk write paths.

1. Audit RLS: open Supabase → Table Editor and confirm RLS is enabled for every table. For any table with it off, add the four-policy CRUD template (SELECT/INSERT/UPDATE using user_id = auth.uid()).
2. Audit secrets: grep -r 'service_role' src/ and check every NEXT_PUBLIC_ variable in .env for secret-tier values. Rotate any that are found in the wrong layer.
3. Audit client bundle: run npm run build and inspect .next/static/ for any secret key substrings.
4. Add server-side validation: for each form that writes to the database, add a corresponding Supabase Edge Function or server action that validates the payload before executing the write.
5. Lock auth configuration: update Supabase auth Site URL and redirect URLs to your production domain; remove any localhost or *.lovable.app entries.
6. Schedule a re-audit: every new third-party integration and every significant prompt session can re-introduce these risks. Build the five-step verification sweep (from the secrets guide) into your launch checklist.