Lovable Faces Backlash Over Data Exposure Due to BOLA Vulnerability

Lovable Faces Backlash Over Data Exposure Due to BOLA Vulnerability

First seen 21 Apr 2026, 07:29 UTC Theregisterowasp.orgCybernewsThenextwebBusinessinsider 87% similarity 66.0

Article Content

Browse articles
ThreatCluster

Lovable, a vibe-coding platform, is under scrutiny after a researcher revealed a significant data exposure issue affecting all projects created before November 2025. The researcher, known as @weezerOSINT, demonstrated that anyone could access sensitive information, including source code, database credentials, and chat histories, simply by creating a free account. The vulnerability is attributed to a Broken Object Level Authorization (BOLA) flaw, which allows unauthorized access to user data due to insufficient ownership validation in the API. Lovable initially denied a data breach, later attributing the issue to 'intentional behavior' and unclear documentation. Despite reporting the vulnerability to HackerOne, the bug bounty service labeled it a duplicate and left it unresolved. The incident raises serious concerns about Lovable's security practices, especially given its $6.6 billion valuation and use by major companies like Microsoft and Nvidia. As of now, the company has not fully addressed the vulnerability for existing projects.

Key Points: • Lovable's BOLA vulnerability exposes sensitive user data to any free account. • The issue affects all projects created before November 2025, impacting numerous users. • Lovable initially denied a breach, later shifting blame to documentation and HackerOne.

ThreatCluster AI

Timeline

2025-11-01
All projects created before this date are affected by the vulnerability.
2026-03-03
First report of the vulnerability submitted to HackerOne.
2026-04-17
Researcher publicly reveals the data exposure on X.
2026-04-21
Lovable issues statements denying a data breach but acknowledging the flaw.

Community

Browse all →