
🎯Basically, Lovable claims there was no data leak but admits users could access others' sensitive info.
What Happened
Lovable, a vibe-coding platform, is under fire after a researcher revealed that free account users could access sensitive information from other users. This includes credentials, chat history, and source code. The researcher, known as @weezerOSINT, reported the issue 48 days ago, but Lovable dismissed it as a duplicate submission.
Who's Affected
The vulnerability affects all users of Lovable's platform, particularly those who created projects before November 2025. Companies like Uber and Zendesk that utilize Lovable's services may also be impacted, as their data could potentially be exposed.
What Data Was Exposed
The data exposed includes: This information was accessible due to a Broken Object Level Authorization (BOLA) vulnerability, allowing users to make API calls and access other users' data without proper authorization.
User credentials
Chat histories
Source code
What You Should Do
If you're a Lovable user, consider taking the following actions:
Containment
- 1.Review your project settings to ensure they are private.
- 2.Change your credentials if you suspect they may have been exposed.
Remediation
Lovable's Response
Initially, Lovable denied any breach, stating the exposure was due to "intentional behavior" and unclear documentation. They later acknowledged the issue, explaining that their API inadvertently allowed access to public project chats. Lovable's communication has been criticized for shifting blame to HackerOne, their bug bounty partner, instead of taking full responsibility.
The Security Flaw
The root cause of the issue is a BOLA vulnerability, which occurs when an API fails to validate user ownership of data. This flaw allowed the researcher to access sensitive information without needing to engage in offensive hacking.
Conclusion
This incident serves as a reminder of the importance of clear documentation and accountability in cybersecurity. Lovable's failure to address the vulnerability adequately raises concerns about their commitment to user security. As they work to resolve this issue, users should remain vigilant and proactive in protecting their data.
🔒 Pro insight: Lovable's failure to manage this vulnerability highlights a critical gap in their security practices and communication protocols.





