Overview
- Researcher @weezerOSINT disclosed Monday that a free Lovable account could read other users’ source code, chat histories, database credentials, and customer data for projects created before November 2025.
- A Broken Object Level Authorization flaw in Lovable’s API caused the exposure by failing to check whether a user owned the data they were requesting, which the researcher accessed with a handful of API calls.
- Lovable first said the behavior reflected public project settings, then apologized and said a February permissions update accidentally re‑enabled access to chats, which it says it has now reverted and patched.
- The researcher says they reported the issue through Lovable’s HackerOne program in early March and that it sat for 48 days marked as a duplicate, while Lovable later criticized HackerOne for treating chat access as intended.
- Security experts urge users to audit chat logs for pasted keys and rotate any exposed credentials, noting that vibe‑coding platforms often store secrets in prompts and that recent incidents at Anthropic and Vercel point to weak defaults across AI developer tools.