A significant security vulnerability has been identified in Lovable, a leading AI-driven app builder platform. This flaw, known as a Broken Object Level Authorization (BOLA) vulnerability, potentially allows unauthorized access to sensitive project data, including crucial elements like source code and customer information from projects developed before November 2025.
Understanding the BOLA Vulnerability
The identified issue permits users with a basic, free-tier account on Lovable to make API calls, thereby gaining access to other users’ project data without proper authorization. This vulnerability stems from the platform’s failure to verify whether the requesting user has the right to view or manipulate the data, a flaw that is notoriously ranked as the top concern in the OWASP API Security Top 10 due to its widespread impact and ease of exploitation.
Researcher @weezerOSINT has highlighted that specific API endpoints return extensive project details, including AI logs and user session data, without enforcing necessary access controls. This exposure has led to the unintended public availability of sensitive information, which should have remained private.
Impact on Lovable Users
The vulnerability was reported to Lovable through the HackerOne platform over a month before this disclosure, yet it remains unpatched for projects created before the mentioned date. While Lovable has introduced fixes for new projects, those developed before the deadline remain vulnerable, posing a significant risk to users’ data security.
Alarmingly, projects associated with prominent organizations, such as Connected Women in AI, have been affected. This includes exposed database credentials and user information from respected institutions like Accenture Denmark and Copenhagen Business School. Additionally, employees from major tech companies such as Nvidia, Microsoft, Uber, and Spotify have projects linked to compromised accounts.
Recommendations for Affected Users
The incident has prompted security researchers to advise that users of Lovable who created projects before November 2025 should promptly update API keys, database credentials, and any sensitive information stored within these projects. It is prudent for users to assume that any data from these legacy projects might have been accessed.
This situation highlights a common issue with AI-native platforms: security controls often lag behind rapid feature deployment. Organizations relying on low-code AI builders should implement independent secrets management practices and conduct regular audits to protect sensitive credentials and data.
For ongoing updates on cybersecurity developments, follow us on platforms such as Google News, LinkedIn, and X. Reach out to us if you have stories to share.
