API Flaw in Lovable AI App Builder Exposes Sensitive Data of Thousands

Severity: High (Score: 66.0)

Sources: Gbhackers, Cybersecuritynews

Summary

A critical Broken Object Level Authorization (BOLA) vulnerability in Lovable, an AI-powered app builder, has been reported, allowing unauthorized access to sensitive project data. This flaw affects thousands of projects created before November 2025, exposing source code, database credentials, AI chat histories, and real customer information. Security researchers have disclosed that the unpatched API vulnerability poses a significant risk to users of the platform. The breach highlights the importance of securing API endpoints to prevent unauthorized data access. Users are urged to review their project security and data exposure. The current status indicates that the vulnerability remains unpatched, raising concerns about the potential for exploitation. Affected users include developers and businesses relying on Lovable for app development. The incident underscores the need for immediate action to secure sensitive information. Key Points: • A critical BOLA vulnerability in Lovable exposes sensitive data from projects created before November 2025. • Unauthorized users can access source code, database credentials, and customer information. • The vulnerability remains unpatched, posing ongoing risks to users of the Lovable platform.

Key Entities

• Data Breach (attack_type)
• Lovable (platform)
• Lovable AI App Builder (platform)
• CWE-200 - Exposure of Sensitive Information (cwe)
• CWE-862 - Missing Authorization (cwe)