Lovable's BOLA Flaw Left 8M Users' Projects Exposed for 48 Days

What is it?

Lovable is an AI-powered 'vibe coding' platform valued at $6.6B with 8 million users. A researcher discovered a Broken Object Level Authorization (BOLA) vulnerability in Lovable's API: any user with a free account could retrieve another user's project source code, database credentials, and AI chat history by making 5 API calls. The bug affected all public projects created before November 2025.

How does it work?

The API failed to verify that the requesting user owned the resource being fetched — a classic BOLA flaw. The researcher reported it March 3, 2026 via HackerOne. Lovable's triage partners closed it twice without escalating, classifying it as 'intended behavior' for public projects. After 48 days with no fix, the researcher disclosed publicly. Lovable patched the vulnerability within 2 hours of public disclosure. Corporate users including Uber and Zendesk use the platform.

Why does it matter?

The incident exposes structural security risks in the growing vibe-coding category, where AI generates full-stack applications that users deploy without reviewing the underlying code. Lovable's slow response to a verified, reproducible vulnerability report underscores that bug bounty triage processes at fast-growing AI platforms are not keeping pace with the security implications of the products they're protecting.

Who is it for?

Security engineers; developers who have deployed applications built on Lovable or similar vibe-coding platforms

Tags

• security
• vibe-coding
• bola
• api-security
• data-exposure
• responsible-disclosure
• lovable
• authorization