Lovable calls data exposure intentional, shifts blame to HackerOne

Lovable, a vibe‑coding AI platform valued at $6.6 billion, lets users mark projects as public or private. Researchers reported that selecting “public” also exposed the underlying code and secrets of any project, a problem traced to a missing ownership check in the API.

The researcher created a free account and, with five API calls, accessed another user’s profile, public projects and source code, then extracted database credentials. This matches a Broken Object Level Authorization (BOLA) vulnerability, where the API fails to validate that a user owns the object they request. The flaw was reported 48 days earlier through HackerOne, which labeled the submission a duplicate and left it open. Lovable first said the visibility was unclear documentation, then stated that showing code for public projects was intentional behavior by design, and later blamed HackerOne for not escalating the report. The company said it had retroactively patched the API in December 2025 to block chat access on public projects, but a February 2025 permission‑unification effort accidentally re‑enabled the access.

The incident shows how ambiguous API authorization can leak sensitive data even without sophisticated hacking. It also highlights the risk when companies deflect responsibility onto bug‑bounty platforms instead of fixing the underlying flaw. Users of Lovable should assume any project marked public before the February 2025 re‑exposure may have been accessible to anyone with a free account.

- Review API endpoints for object‑level authorization and enforce ownership checks (MITRE ATT&CK T1190). - Apply the principle of least privilege: ensure public flags only expose intended assets. - Monitor for anomalous API calls that read multiple users’ objects; a detection signature could flag >3 distinct object IDs accessed from the same token within a minute. - If using Lovable, audit project visibility settings and rotate any database credentials or API keys stored in source code. - Encourage vendors to publish a CVE for the BOLA flaw and subscribe to their security advisories for patches.