What are the most common security vulnerabilities in low-code apps?

The most common security vulnerabilities in low-code apps are missing authentication on API endpoints, disabled or absent Row Level Security (RLS) on databases, API keys exposed in client-side code, overly permissive CORS configurations, and broken access control where frontend-only checks substitute for server-side authorization. These occur because low-code platforms abstract away backend logic, and builders often don't realize security configuration is their responsibility.

Are low-code platforms like Bubble and Retool secure by default?

No. Low-code platforms like Bubble, Retool, Lovable, Bolt, and Base44 provide security features but do not enable them by default. Bubble requires manual privacy rule configuration on every data type. Retool needs explicit query permissions and role-based access setup. Lovable uses Supabase but generates tables without RLS policies. Builders must actively configure security on every platform -- none are secure out of the box.

How do I find security vulnerabilities in my low-code app?

Audit your low-code app by: 1) Opening browser DevTools and checking the Network tab for exposed API keys, database URLs, and sensitive data in responses, 2) Testing every API endpoint without authentication to find open routes, 3) Checking database security rules (RLS in Supabase, privacy rules in Bubble, query permissions in Retool), 4) Searching your codebase for hardcoded secrets with tools like gitleaks, 5) Testing role-based access by logging in as different user types and attempting to access restricted features. Automated tools like VibeEval can scan for these vulnerabilities across all major low-code platforms.

← Back to AI Security

Low-Code App Security Vulnerabilities

Low-code platforms like Lovable, Bolt, Base44, Bubble, and Retool let you build apps in hours instead of months. But the speed comes at a cost: security is almost always an afterthought. These platforms abstract away the backend, which means builders never see the database queries, API routes, or authentication logic their apps depend on. The result is thousands of production apps with open APIs, exposed databases, and leaked credentials. This guide covers the specific vulnerabilities that affect low-code apps and how to fix them on every major platform.

Why Low-Code Apps Are Vulnerable

Low-code platforms sell a compelling promise: build without understanding the underlying technology. Drag components, connect data sources, deploy. But security is not something that can be abstracted away. When a platform hides the backend from you, it does not eliminate security risks -- it hides them. You cannot secure what you cannot see.

Traditional developers learn about SQL injection, XSS, and access control as part of their education. Low-code builders often come from non-technical backgrounds -- product managers, designers, entrepreneurs -- and have never encountered these concepts. The platform documentation mentions security features, but they are buried in advanced settings that most builders never open.

The core problem is a mismatch between responsibility and visibility. The platform gives you the tools to configure security, but it does not force you to use them. Default configurations prioritize ease of development: databases are open, APIs are public, and authentication is optional. This makes the first hour of building feel magical. It also means every app starts in an insecure state.

Compounding the issue, low-code platforms generate or manage code that builders cannot easily review. When Lovable generates a Supabase backend, you get working SQL -- but reviewing it for security requires understanding Row Level Security policies, Postgres permissions, and auth token verification. When Bubble creates a workflow, the logic is stored in a visual editor with no way to run a static analysis tool against it. The abstraction that makes building fast also makes auditing hard.

Authentication and Access Control Gaps

Authentication and access control are the most critical -- and most frequently broken -- security layers in low-code apps. The pattern is consistent across platforms: auth exists as a feature, but it is not wired up correctly to protect data and actions.

Default auth configs are insufficient -- Most platforms ship with basic email/password auth, but the default configuration does not enforce email verification, does not set password complexity requirements, and does not implement account lockout after failed attempts. Builders see "auth is enabled" and assume they are protected.
Missing role-based access checks -- Apps distinguish between user roles (admin, editor, viewer) in the frontend UI but do not enforce these roles on the server. A regular user can access admin API endpoints by sending requests directly. The frontend hides the button, but the endpoint is wide open.
Open API endpoints -- Low-code platforms expose REST or GraphQL APIs for data access. Builders protect pages with login screens but forget that the underlying API can be called directly. Anyone who inspects the network traffic can replay API calls without authentication.
Session management weaknesses -- Auth tokens stored in localStorage instead of httpOnly cookies, tokens that never expire, and missing token rotation after password changes. A stolen token grants permanent access.
No multi-tenancy isolation -- Apps serving multiple organizations store all data in the same tables without tenant-level isolation. A query filter in the frontend hides other tenants' data, but removing the filter (or modifying the API call) reveals everything.

The fix requires shifting from frontend-only protection to server-side enforcement. Every API endpoint needs an authentication check. Every database query needs to filter by the authenticated user's permissions. Every role distinction visible in the UI must be enforced on the backend. This is non-negotiable regardless of which platform you use.

Data Exposure in Low-Code Platforms

Data exposure is the second major vulnerability class in low-code apps. The platforms make it trivially easy to connect a database and display data, but they do not enforce limits on what data flows to the client.

Client-side data fetching without filters -- Low-code apps commonly fetch entire tables to the browser and filter client-side. Open the Network tab and you see the full dataset, including records belonging to other users. The UI shows a filtered view, but the data is already in the browser.
Missing Row Level Security (RLS) -- Supabase-based platforms like Lovable generate tables with RLS disabled by default. The Supabase anon_key is public by design -- it is meant to be used in the browser. Without RLS policies, that public key grants full read and write access to every row in every table.
Exposed database connection strings -- Some platforms expose the full database URL in environment variables that end up in client-side bundles. This grants direct database access, bypassing all application-level security.
Over-fetching sensitive fields -- API responses include fields the UI does not display: password hashes, internal IDs, email addresses, payment details. The frontend component only renders the user's name, but the API response contains their entire profile.
No field-level permissions -- Most low-code platforms implement table-level access (can this user read this table?) but not field-level access (can this user see the salary column?). If a user can read the employees table, they can read every field in it.

Preventing data exposure requires server-side query filtering (never fetch more data than the user needs), RLS policies on every table, explicit field selection in API queries (no SELECT *), and regular auditing of API responses to catch over-fetching. Use your browser's DevTools to inspect every API response your app makes -- if you can see data that should be private, so can your users.

Third-Party Integration Risks

Low-code apps are integration-heavy by nature. Connecting to Stripe, SendGrid, OpenAI, Twilio, and dozens of other services is a core feature. But every integration is a potential security hole when credentials are mishandled.

API keys in frontend code -- The most common and most dangerous pattern. Builders paste API keys into environment variables that get bundled into the client-side JavaScript. Anyone viewing the page source or inspecting network requests can extract these keys. This applies to payment processors (Stripe secret keys), AI APIs (OpenAI keys with billing), and email services (SendGrid keys that send as your domain).
Webhook endpoints without validation -- Webhooks from Stripe, GitHub, or other services are received by endpoints that do not verify the request signature. An attacker can send fake webhook payloads to trigger actions like creating premium accounts, confirming fake payments, or modifying user data.
OAuth misconfiguration -- OAuth redirect URIs that accept any domain, missing state parameter validation (allowing CSRF), and storing OAuth tokens in client-accessible storage. These allow attackers to hijack the OAuth flow and gain access to the third-party service on behalf of your users.
Overprivileged API keys -- Using a single API key with full permissions instead of scoped keys with minimal access. If the key leaks (and in low-code apps, it often does), the attacker gets complete access to the third-party service.
Missing rate limiting on proxy endpoints -- When builders correctly move API keys to a backend proxy, they often forget to add rate limiting. Attackers can use your proxy to make unlimited API calls at your expense. OpenAI bills can escalate to thousands of dollars overnight.

Every third-party API key must live on the server, never in the browser. Use server-side proxy functions (Supabase Edge Functions, Vercel API routes, or platform-specific backend logic) to make API calls. Validate webhook signatures using the provider's verification library. Scope API keys to the minimum permissions required. Add rate limiting to every proxy endpoint.

Platform-Specific Vulnerabilities

Each low-code platform has its own security model and its own common failure modes. Here is what to watch for on the five most popular platforms:

Lovable

Lovable generates full-stack apps using Supabase as the backend. The primary vulnerability is missing RLS policies. Lovable creates tables and inserts data but does not always generate corresponding RLS policies. Since Supabase exposes the anon_key in the client bundle (by design), any table without RLS is fully readable and writable by anyone on the internet. Additionally, Lovable-generated Edge Functions sometimes lack authentication checks, creating open API endpoints. Always verify that every table has RLS enabled and that policies match your access requirements.

Bolt

Bolt generates full applications from prompts and deploys them quickly. The main risk is environment variable exposure. API keys and secrets placed in .env files sometimes end up in the client-side bundle during the build process, especially when using Vite or similar tools that only protect variables without the right prefix. Bolt-generated apps also tend to have hardcoded configuration values scattered across components instead of centralized in environment variables. Review the built JavaScript output (not just the source) to confirm no secrets are included.

Base44

Base44 provides a rapid app-building experience with auto-generated APIs. The key vulnerability is unprotected API endpoints. Base44 generates CRUD endpoints for every data model, and these endpoints are often accessible without authentication tokens. The API structure is predictable (following REST conventions), making it easy for attackers to enumerate and access endpoints. Builders must explicitly add authentication requirements to each endpoint and validate that unauthorized requests are rejected.

Bubble

Bubble uses a visual programming model where security depends on privacy rules configured per data type. The default is no privacy rules -- every data type is readable by everyone. Builders must manually add rules to restrict who can find, view, and modify each data type. Bubble's API Connector plugin can also leak API keys if the "private" checkbox is not checked for sensitive headers. Additionally, Bubble's search functionality can expose data when privacy rules are not correctly scoped with constraints.

Retool

Retool is used for internal tools and admin panels, which makes its security vulnerabilities particularly dangerous since these tools often have access to production databases. The primary risk is query permissions and resource access. Retool queries run with the permissions of the connected database user, which is often a superuser. Without Retool's permission groups properly configured, any Retool user can run any query against any connected resource. Additionally, Retool apps shared via link can be accessed by anyone in the organization, even if they should not have access to the underlying data.

How to Audit a Low-Code App

Auditing a low-code app requires a different approach than auditing traditional code. You cannot always read the source, so you need to test from the outside in. Here is a practical checklist:

Inspect network traffic -- Open browser DevTools, go to the Network tab, and use the app normally. Look at every request and response. Check for API keys in headers, sensitive data in responses, and endpoints that return more data than the UI displays.
Test API endpoints without auth -- Copy API request URLs from DevTools and replay them in a new browser tab or with curl, without the auth token. If you get data back, the endpoint lacks authentication.
Check database security -- For Supabase apps, use the Supabase dashboard to verify RLS is enabled on every table. Run test queries with the anon_key to confirm policies work. For Bubble, review privacy rules on every data type. For Retool, check permission groups.
Search for exposed secrets -- View the page source and search for patterns like "sk-", "key_", "secret", and common API key formats. Check JavaScript bundle files for hardcoded credentials. Use tools like gitleaks on any associated git repositories.
Test role-based access -- Create accounts with different roles (admin, user, viewer). Log in as a lower-privileged user and attempt to access admin features by navigating directly to URLs or by modifying API requests to use admin-only parameters.
Verify webhook security -- If the app receives webhooks, send a fake payload to the webhook endpoint. If the app processes it without signature verification, the webhook is vulnerable.
Check CORS and headers -- Send a request with a different Origin header to verify CORS is not set to wildcard (*). Check for security headers like Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security.
Test file upload restrictions -- If the app allows file uploads, attempt to upload executable files, oversized files, and files with manipulated MIME types. Check if uploaded files are accessible at predictable URLs.
Review third-party integrations -- List every external service the app connects to. Verify API keys are server-side only. Check that OAuth configurations use specific redirect URIs, not wildcards.
Run automated scanning -- Use tools like VibeEval, OWASP ZAP, or Burp Suite to perform automated vulnerability scanning. These tools catch common issues like missing security headers, XSS, and open redirects that manual testing might miss.

Run this audit before every production deployment and after every significant change. Low-code platforms update frequently, and platform updates can reset security configurations or introduce new default behaviors. What was secure last month may not be secure today.

Related Resources

AI Code Vulnerability Taxonomy

Complete classification of vulnerabilities in AI-generated code

OWASP Top 10 for AI Code

How OWASP vulnerabilities appear in AI-generated applications

Common Security Flaws

The most frequent security flaws found in AI-built applications

Scan Your Low-Code App for Vulnerabilities

VibeEval detects security vulnerabilities specific to low-code platforms -- missing RLS, exposed API keys, open endpoints, and broken access control. Get a full security audit of your Lovable, Bolt, Base44, Bubble, or Retool app in minutes.

Start Free Security Scan