Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Android 14 vulnerability lets attackers gain full control
July 8, 2026
CISA Warns of Adobe ColdFusion Path Traversal Vulnerability Exploited in Attacks
July 8, 2026
70% of WordPress Sites Exposed to Attacks Due to Outdated PHP Versions
July 8, 2026
Home/CyberSecurity News/Critical API Flaw in Lovable AI App Builder Exposes User Data
CyberSecurity News

Critical API Flaw in Lovable AI App Builder Exposes User Data

Key Takeaways A critical Broken Object Level Authorization (BOLA) flaw in Lovable, an AI app builder, allows unauthorized access to sensitive user and project data. The vulnerability impacts all...

Sarah simpson
Sarah simpson
April 20, 2026 4 Min Read
52 0

Key Takeaways

  • A critical Broken Object Level Authorization (BOLA) flaw in Lovable, an AI app builder, allows unauthorized access to sensitive user and project data.
  • The vulnerability impacts all projects created on the platform before November 2025, potentially exposing source code, database credentials, AI chat histories, and real customer information.
  • Despite being reported to Lovable via HackerOne, the flaw remains unpatched for legacy projects, leaving thousands of applications at risk.
  • The exposed data includes information from nonprofit organizations and potentially employees of major tech companies like Nvidia, Microsoft, Uber, and Spotify.
  • Users with projects created before November 2025 are advised to immediately rotate credentials and assume data exposure.

Critical API Flaw in Lovable AI App Builder Exposes Legacy User Data

A significant security vulnerability has been identified in Lovable, a widely used AI-powered application development platform, which could allow unauthorized individuals to access sensitive project information. The flaw, categorized as a Broken Object Level Authorization (BOLA) issue, reportedly affects all projects created on the platform prior to November 2025, exposing a trove of data including source code, database credentials, AI chat logs, and actual customer data from potentially thousands of applications.

Table Of Content

  • Key Takeaways
  • Critical API Flaw in Lovable AI App Builder Exposes Legacy User Data
  • Broken Object Level Authorization Explained
  • Unpatched Legacy Projects Remain Exposed
  • A Recurring Challenge in AI Development
  • What You Should Do

Broken Object Level Authorization Explained

The core of the vulnerability lies in a Broken Object Level Authorization (BOLA) defect. This type of security lapse occurs when an API fails to adequately verify if a user requesting access to a specific data object is genuinely authorized to view or manipulate it. Essentially, the API grants access without confirming ownership or appropriate permissions. The OWASP API Security Top 10 lists BOLA vulnerabilities as its number one concern due to their common occurrence and relative ease of exploitation.

In the case of Lovable, any user with a free-tier account can reportedly make unauthenticated API calls to the platform’s backend infrastructure and retrieve project data belonging to other users. Security researcher @weezerOSINT highlighted that the API endpoint https://api.lovable.dev/GetProjectMessagesOutputBody appears to return comprehensive project message histories, AI thought processes, and records of tool usage without enforcing necessary object-level access controls. The JSON responses observed reportedly contain user IDs, session content, and internal AI reasoning chains that were never intended for public access.

Unpatched Legacy Projects Remain Exposed

The vulnerability was brought to Lovable’s attention through the HackerOne bug bounty program approximately 48 days before its public disclosure. However, while Lovable seems to have implemented a fix for projects created after November 2025, a substantial base of older projects reportedly remains vulnerable. This leaves a significant window of risk for users who developed applications on the platform before this cutoff date.

Lovable has a mass data breach affecting every project created before november 2025.

I made a lovable account today and was able to access another users source code, database credentials, AI chat histories, and customer data are all readable by any free account.

nvidia,… pic.twitter.com/QcVvz9cNZl

— impulsive (@weezerOSINT) April 20, 2026

Further investigation into the vulnerability revealed particularly concerning instances of exposure. One identified project belonged to Connected Women in AI, a nonprofit organization, and reportedly contained exposed Supabase database credentials along with real user data. This data included records associated with individuals from Accenture Denmark and Copenhagen Business School. Beyond nonprofit entities, employees from prominent technology companies such as Nvidia, Microsoft, Uber, and Spotify reportedly have Lovable accounts linked to affected projects, raising alarms about potential exposure of sensitive corporate development data.

The vulnerability was submitted on the HackerOne platform and subsequently marked as a duplicate of report #3583821, titled “Broken Object Level Authorization on Lovable API leads to unauthorized access to user data and project source code.” The “Informative” flag on the duplicate submission suggests that Lovable was aware of this issue prior to the latest public disclosure on March 3, 2026, yet evidence indicates the flaw persists for legacy accounts.

A Recurring Challenge in AI Development

This incident highlights a persistent challenge in the rapidly evolving landscape of AI-native development platforms: security measures often struggle to keep pace with the swift deployment of new features, leaving early adopters particularly vulnerable. Organizations leveraging low-code AI builders for production applications are urged to implement robust secrets management practices independently of the platform and regularly audit API exposure for any sensitive credentials embedded within project repositories or AI chat contexts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

What You Should Do

  • Rotate Credentials Immediately: If you created projects on Lovable before November 2025, assume that all API keys, database credentials, and other secrets stored within those projects may have been compromised. Rotate them without delay.
  • Assume Data Exposure: Understand that chat histories, source code, and potentially customer data associated with your older Lovable projects may have been accessed by unauthorized parties.
  • Audit Project Data: Conduct a thorough audit of your Lovable projects created before the cutoff date to identify any sensitive information that might have been exposed.
  • Implement Independent Secrets Management: For any future development on low-code AI platforms, adopt robust secrets management solutions that are independent of the platform itself.
  • Monitor for Suspicious Activity: Keep a vigilant eye on any accounts or systems linked to your Lovable projects for unusual activity or unauthorized access attempts.

Tags:

BreachExploitHackerPatchSecurityVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical Microsoft Teams, Quick Assist Flaws Let Attackers Impersonate Helpdesk

Next Post

Iran’s MOIS Coordinated Cyber Espionage Uses Multiple Hacker Personas

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical GhostLock Vulnerability in Linux Kernel Lets Attackers Escalate Privileges
July 8, 2026
OpenAI Secures US Government Clearance for GPT-5.6 Launch
July 8, 2026
Anthropic Extends Free Claude 3 Opus Access on All Paid Plans
July 8, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us