Voices
Lovable's $5B Vibe Coding Platform Hit by Mass Security Breach — Company Calls Exposed Credentials 'Intentional Behavior'
Security researcher @weezerOSINT demonstrated that any free Lovable account could access other users' source code, database credentials, AI chat histories, and customer data via a Broken Object Level Authorization (BOLA) API flaw. The vulnerability affects every project created before November 2025, exposing tens of thousands of developers. Researchers demonstrated access to hardcoded Supabase credentials revealing real names and Stripe customer IDs from organizations including Accenture Denmark. Lovable initially denied the breach, then called it 'intentional behavior,' sparking backlash across the security community.
Source
↳ Follow the thread