Last updated: January 12, 2026
An honest security analysis of Bubble for developers considering it for their projects.
Bubble is safe when privacy rules are properly configured, but the visual interface hides critical security settings. Privacy rules are Bubble's equivalent of database RLS - misconfiguration exposes ALL your data. API workflows are public by default. Plugins have varying security quality.
Security researchers regularly find Bubble apps with missing privacy rules, exposing user data. Unlike code-based apps where you explicitly write queries, Bubble's visual nature makes it easy to forget privacy rules exist.
Bubble can be production-secure, but the visual interface actively hides security settings. Privacy rules are buried in Data → Privacy. API workflows default to public. You must deliberately seek out and configure security - it won't happen by accident. Test your app as a logged-out user to find exposures.
Understanding Bubble security in the context of broader industry trends and research.
of Lovable applications (170 out of 1,645) had exposed user data in the CVE-2025-48757 incident
Source: CVE-2025-48757 security advisory
average cost of a data breach in 2023
Source: IBM Cost of a Data Breach Report 2023
developers using vibe coding platforms like Lovable, Bolt, and Replit
Source: Combined platform statistics 2024-2025
“There's a new kind of coding I call 'vibe coding', where you fully give in to the vibes, embrace exponentials, and forget that the code even exists.”
“It's not really coding - I just see stuff, say stuff, run stuff, and copy paste stuff, and it mostly works.”
Privacy rules are Bubble's equivalent of Row Level Security. They control which users can see/modify which data. Find them in Data → Privacy tab. Without rules, ALL data is accessible to ALL users. This is the #1 source of Bubble security issues.
By default, NO. API workflows are public unless you check 'This workflow requires authentication'. Anyone who discovers your API endpoint can call it. Always require authentication and validate user permissions within the workflow.
Plugin security varies widely. Plugins can access your database and user data. Only use plugins from trusted developers, check reviews, and remove unused plugins. Treat plugins like npm packages - they're third-party code running in your app.
In code, you explicitly write database queries with security in mind. In Bubble, the visual builder generates queries automatically, making it easy to forget security exists. You must proactively configure privacy rules - they're not enforced by default.
Don't guess - scan your app and know for certain. VAS checks for all the common security issues in Bubble applications.