Lovable AI App Builder API Flaw Exposes Thousands of

A critical Broken Object Level Authorization (BOLA) vulnerability within Lovable, a popular AI-powered app builder platform, reportedly allows unauthorized users access to sensitive project data. This includes source code, database credentials, AI chat histories, and real customer information from thousands of projects created before November 2025.

The flaw, classified as a Broken Object Level Authorization issue, allows any free-tier Lovable account holder to make unauthenticated API calls to the platform’s backend and retrieve project data belonging to other users.

BOLA vulnerabilities occur when an API grants access to objects without verifying whether the requesting user actually owns or has permission to view them. This class of flaw is ranked #1 in the OWASP API Security Top 10 for its prevalence and ease of exploitation.

According to a researcher with the handle @weezerOSINT, the API endpoint https://api.lovable.dev/GetProjectMessagesOutputBody appears to return full project message histories, AI thinking logs, and tool-use records without enforcing proper object-level access controls.

The exposed JSON responses contain user IDs, session content, and internal AI reasoning chains that were never intended to be publicly accessible.

The vulnerability was reported to Lovable via HackerOne approximately 48 days before public disclosure, yet the flaw reportedly remains unpatched for projects created prior to November 2025.

While Lovable appears to have applied a fix for newly created projects, the legacy project base remains exposed, leaving a significant risk window for users who built applications on the platform before the cutoff date.

Researchers examining the vulnerability uncovered particularly alarming examples. One affected project belonged to Connected Women in AI, a nonprofit organization, and reportedly contained exposed Supabase database credentials alongside real user data.

Among the data found were records linked to individuals from Accenture Denmark and Copenhagen Business School. Beyond nonprofit exposure, employees at major technology firms, including Nvidia, Microsoft, Uber, and Spotify, reportedly have Lovable accounts tied to affected projects, raising the potential that sensitive corporate development data could be at risk.

The vulnerability was submitted on the HackerOne bug bounty platform and was marked as a duplicate of report #3583821, labeled “Broken Object Level Authorization on Lovable API leads to unauthorized access to user data and project source code”.

The duplicate submission was flagged as Informative, suggesting the issue was already known to the platform prior to the latest disclosure on March 3, 2026, yet public evidence continues to show the flaw remains exploitable on legacy accounts.

Security researchers recommend that Lovable users who created projects before November 2025 should immediately rotate any API keys, database credentials, or secrets stored within those projects. Users should assume that chat histories and source code associated with older projects may have already been accessed.

The incident underscores a recurring challenge in AI-native development platforms: security controls often lag behind rapid feature deployment, leaving early adopters most exposed.

Organizations building production applications on low-code AI builders should enforce secrets management practices independent of the platform, and regularly audit API exposure for any sensitive credentials embedded in project repositories or chat contexts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.