AI development platform Lovable is under fire following reports of a vulnerability that allowed users to access others’ sensitive data.
A security researcher claims that the issue enabled viewing source code, login credentials, and chat history from other projects using a free account, reports The Register.
According to the researcher, active on X under the name @weezerOSINT, no sophisticated attack was needed to access this information. A limited number of API requests was reportedly sufficient to gain insight into other users’ data. The leak reportedly stemmed from a so-called Broken Object Level Authorization vulnerability, in which insufficient checks are performed to verify whether a user has the rights to request certain data.
Lovable initially responded cautiously to the findings. The company stated that there was no data breach. The company indicated that data visibility was related to settings for public projects. And that ambiguity in the documentation may have led to misunderstandings. A more detailed explanation followed, acknowledging that the company’s earlier communication had been inadequate.
In that second response, Lovable explained how the distinction between public and private projects led to confusion in practice. Users had assumed that only published applications were visible, while underlying chat data could also be accessible. The company indicated that this interpretation is understandable and that the system’s design did not provide sufficient clarity in this regard.
Late action following renewed attention
The vulnerability had previously been reported via the bug bounty platform HackerOne, but according to Lovable, it was not escalated there because the visibility of certain data was viewed as intended behavior. Only after the issue resurfaced was access to chat data from public projects restricted again.
Lovable states that the issue has since been resolved and that chat data from projects is no longer accessible to other users. The company also emphasizes that users always had the option to set projects to private, although that option was not available to all users in the past.
The incident underscores growing concerns about security on AI platforms, especially as they are increasingly deployed in corporate environments. According to previous announcements, organizations such as Uber and Deutsche Telekom use Lovable’s technology. Consequently, a vulnerability like this can have a broader impact than just on individual users.