Lovable AI Platform Exposed Thousands of Projects via BOLA Vulnerability

Lovable, a Swedish AI-coding platform valued at $6.6 billion, faced a significant data exposure incident disclosed on April 20, 2026. The incident is caused by a variant of IDOR called a Broken Object-Level Authorization (BOLA) vulnerability in the platform's API. 

A security researcher, known as @weezerOSINT, reported the flaw through Lovable's bug bounty program on March 3, 2026, but the vulnerability remained unpatched for existing projects for 48 days. The flaw affected projects created before November 2025, including those belonging to major enterprises and nonprofits.

The vulnerability allowed any user with a free account to access sensitive data from other projects using just five API calls. The API failed to validate object ownership, letting unauthorized users iterate through project IDs to retrieve private information. Lovable admitted that while unifying backend permissions in February 2026, they accidentally re-enabled access to chats and code on projects previously marked as public. The company's bug bounty partner, HackerOne, reportedly closed the initial report without escalation, mistakenly believing the exposure was intended behavior.

The compromised data includes:

• Hardcoded Supabase database credentials
• Internal source code for thousands of projects
• AI chat histories containing database schemas and development discussions
• Full names and job titles
• LinkedIn profiles and Stripe customer IDs
• 1.5 million API authentication tokens (in related vibe-coded incidents)

The flaw affected thousands of projects. One hosted application exposed 18,697 user records.

Lovable initially denied the breach, claiming the exposure was "intentional behavior" and blaming unclear documentation. After public backlash and reports, the company acknowledged the error and reverted the backend permission changes to make all public project chats private again. The startup stated it is working to improve its internal escalation processes and documentation regarding project visibility. 

This incident highlights a broader security crisis in "vibe coding," where AI-generated code often lacks standard security controls like row-level security. Industry data suggests that up to 62% of AI-generated code contains vulnerabilities, producing flaws at nearly three times the rate of human-written code. Organizations using AI coding tools should audit all generated code for hardcoded secrets and ensure row-level security is active on backend databases. Users are advised to rotate any API keys or database credentials used within the Lovable platform and monitor for unauthorized access to linked services like Stripe or Supabase.