Lovable Faces Backlash Over Data Exposure Due to BOLA Vulnerability

Severity: High (Score: 66.0)

Sources: Theregister, owasp.org, Cybernews

Summary

Lovable, a vibe-coding platform, is under scrutiny after a researcher revealed a significant data exposure issue affecting all projects created before November 2025. The researcher, known as @weezerOSINT, demonstrated that anyone could access sensitive information, including source code, database credentials, and chat histories, simply by creating a free account. The vulnerability is attributed to a Broken Object Level Authorization (BOLA) flaw, which allows unauthorized access to user data due to insufficient ownership validation in the API. Lovable initially denied a data breach, later attributing the issue to 'intentional behavior' and unclear documentation. Despite reporting the vulnerability to HackerOne, the bug bounty service labeled it a duplicate and left it unresolved. The incident raises serious concerns about Lovable's security practices, especially given its $6.6 billion valuation and use by major companies like Microsoft and Nvidia. As of now, the company has not fully addressed the vulnerability for existing projects. Key Points: • Lovable's BOLA vulnerability exposes sensitive user data to any free account. • The issue affects all projects created before November 2025, impacting numerous users. • Lovable initially denied a breach, later shifting blame to documentation and HackerOne.

Key Entities

• Data Breach (attack_type)
• Accenture Denmark (company)
• Copenhagen Business School (company)
• Lovable (platform)
• Supabase (platform)
• Denmark (country)
• CWE-200 - Exposure of Sensitive Information (cwe)
• CWE-287 - Improper Authentication (cwe)
• CWE-798 - Use of Hard-coded Credentials (cwe)
• T1567 - Exfiltration Over Web Service (mitre_attack)
• Broken Object Level Authorization (bola) Vulnerability (vulnerability)