"Lovable has a mass data breach affecting every project created before November 2025. I made a Lovable account today and was able to access another user's source code, database credentials, AI chat histories, and customer data are all readable by any free account."
"The leak stems from a Broken Object Level Authorization (BOLA) vulnerability, which occurs when an API exposes endpoints that allow users to access or modify sensitive data belonging to other users due to missing ownership validation."
"According to the bug hunter, no offensive hacking is needed to trigger the bug. They say they made five API calls from a free account and gained access to another user's profile, their public projects, and source code, and then extracted database credentials from the source code."
Lovable's platform has been criticized for a security vulnerability that allows free account holders to access sensitive information from other users, including credentials and chat histories. Initially, the company attributed the issue to unclear documentation and user behavior. A researcher reported the flaw 48 days prior, but Lovable dismissed it as a duplicate. The vulnerability, identified as Broken Object Level Authorization, enables unauthorized access to user data without any hacking required. Lovable has not responded to inquiries regarding the situation.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]