Lovable Shifts Blame After Free‑Account Data Leak Exposes Source Code and Credentials

Lovable markets itself as a vibe‑coding AI tool used by firms such as Uber and Deutsche Telekom. Its free tier lets anyone create projects, but until May 2025 only paid users could make them private. In December 2025 the platform switched to private‑by‑default for all tiers.

On March 3 the researcher submitted a bug report via HackerOne, noting that five API calls from a free account retrieved another user’s project data, including source code that contained database credentials. Lovable initially said the visibility of code and chat on public projects was intentional and by design, later admitting that its documentation of “public” was unclear. The company also disclosed that a February backend update unintentionally re‑allowed chat message access on public projects, which the researcher had reported 48 days earlier.

The flaw is a Broken Object Level Authorization (BOLA) issue, cataloged as CWE‑639 and aligned with OWASP API Security Top 10 2023 API1:2023. Attackers need no special tools; they simply enumerate object IDs to access unauthorized data. This exposes source code, credentials and private chats, potentially enabling credential theft, supply‑chain attacks and reputational harm to Lovable’s enterprise customers.

Organizations using Lovable should immediately audit API logs for object ID enumeration patterns and enforce strict ownership checks on all endpoints. Developers must implement random, non‑guessable identifiers, apply role‑based access control, and adopt an API gateway that validates object‑level permissions. Security teams should add detection signatures for HTTP 200 responses to requests with altered object IDs (MITRE ATT&CK T1190) and ensure bug‑bounty triage processes escalate duplicate‑marked reports that contain new evidence.

Watch for Lovable’s post‑mortem report, any assigned CVE for the BOLA flaw, and whether the company revises its public‑project policy or expands private‑project access to free users.