Lovable's 48-Day BOLA Exposure: Source Code, Credentials, and User Data
through a Broken Object Level Authorization flaw — OWASP API #1 — that let any free account access the entire platform's project history. Source code, hardcoded Supabase credentials, Stripe customer IDs, and real names were exposed for 48 days after a HackerOne report was closed without escalation.
The Incident
In April 2026, security researchers disclosed that Lovable — a $6.6 billion vibe coding platform with eight million users — had a Broken Object Level Authorization (BOLA) vulnerability ranked #1 on OWASP’s API Security Top 10. The /projects/{id}/* endpoints verified Firebase authentication tokens but skipped ownership checks entirely. Anyone with a free account could enumerate and access the entire platform’s project history.
This is Lovable’s second major security incident. In May 2025, researchers found the platform shipped 170+ apps without row-level security on Supabase databases. This time, the flaw was in Lovable’s own infrastructure.
What Was Exposed
The vulnerability affected every project created before November 2025, potentially impacting tens of thousands of developers and their end users:
- Full source code of user-built applications
- Hardcoded Supabase credentials in the exposed source
- Real names, job titles, and LinkedIn profiles from AI chat histories
- Stripe customer IDs
- Database schemas and API keys embedded in projects
Researchers used the exposed Supabase credentials to query live databases and pull real user data from applications built on the platform — a chain reaction from a single authorization check that was never written.
The Response Timeline
The timeline is what makes this incident exceptional:
- A security researcher filed a detailed bug report through HackerOne
- Lovable closed the report without escalation
- The vulnerability remained open for 48 days
- When researchers went public, Lovable stated it “did not suffer a data breach” and attributed the exposure to “intentional behavior”
- The company then blamed “unclear documentation” about what “public” implies
- Finally, Lovable threw HackerOne under the bus for the report handling
In February 2026, while unifying permissions in its backend, Lovable accidentally re-enabled access to chat histories on public projects — a regression that undid a prior API patch. The company’s shifting explanations undermined confidence in its security posture.
Who Uses Lovable
This is not a hobbyist platform. Companies including Uber, Zendesk, and Deutsche Telekom use Lovable’s vibe coding tools, making the scope of potential downstream exposure significant.
The Pattern
BOLA is the single most common API vulnerability in the wild, and it is also the one most consistently introduced by AI-generated code. An AI assistant will generate authentication middleware that validates tokens — that part is syntactically obvious. But the authorization check (“does this user own this resource?”) requires understanding the business logic. AI tools consistently skip it because the code works without it. Every request returns data. The tests pass. The demo is impressive. And every project on the platform is readable by every other user.
The Lesson
This is not a one-off bug. This is the structural failure mode of vibe coding: authentication without authorization, correct syntax without correct semantics, and a company culture that closed a critical bug report rather than escalating it. The 48-day exposure window is not a technical failure — it’s an organizational one.