Theregister
Lovable Faces Backlash Over Data Exposure Due to BOLA Vulnerability
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Lovable, a vibe-coding platform, is under scrutiny after a researcher revealed a significant data exposure issue affecting all projects created before November 2025. The researcher, known as @weezerOSINT, demonstrated that anyone could access sensitive information, including source code, database credentials, and chat histories, simply by creating a free account. The vulnerability is attributed to a Broken Object Level Authorization (BOLA) flaw, which allows unauthorized access to user data due to insufficient ownership validation in the API. Lovable initially denied a data breach, later attributing the issue to 'intentional behavior' and unclear documentation. Despite reporting the vulnerability to HackerOne, the bug bounty service labeled it a duplicate and left it unresolved. The incident raises serious concerns about Lovable's security practices, especially given its $6.6 billion valuation and use by major companies like Microsoft and Nvidia. As of now, the company has not fully addressed the vulnerability for existing projects.
Key Points: • Lovable's BOLA vulnerability exposes sensitive user data to any free account. • The issue affects all projects created before November 2025, impacting numerous users. • Lovable initially denied a breach, later shifting blame to documentation and HackerOne.