Lovable AI builder shipped apps with public storage buckets

May 2025

Reporting showed apps generated with Lovable exposed code and user-uploaded assets via publicly readable storage buckets; fixes required private-by-default configs and hardening.

Incident Details

Perpetrator:Developer

Severity:Facepalm

Blast Radius:Customer app data and source artifacts exposed until configs fixed.

Tech Stack

LovableSupabase storageVercelNext.js

References

Semafor: AI app builder Lovable exposed user data ↗Semafor follow-up: security concerns persisted for weeks ↗Supabase docs: Public vs Private buckets and risks ↗Supabase docs: Hardening the Data API and private schemas ↗HN discussion: user reports and mitigations ↗