ME News reports that on April 21 (UTC+8), according to monitoring by Beating, security researcher @weezerOSINT disclosed on X that the AI application building platform Lovable has an Object-Level Authorization Bypass (BOLA) vulnerability, allowing any free account to exploit API calls to unauthorizedly access other users’ project source code, database credentials, and AI conversation histories. The vulnerability was reported via HackerOne on March 3, 2026 (Report #3583821) and remains unpatched after 48 days. During the demonstration, the researcher accessed a project belonging to the Danish nonprofit Connected Women in AI, obtaining its full admin panel source code and reading conversations between developers and Lovable AI regarding database table structures, including fields such as email, first_name, and last_name. Comparative testing revealed that projects created in April 2026 returned a 403 Forbidden response, while older projects still being actively edited by the same developer 10 days prior returned a 200 OK status along with the complete source file tree—confirming that Lovable only patched permission checks for new projects, failing to retroactively apply fixes to existing ones. Initially, Lovable claimed the issue was “by design” and attributed it to “unclear documentation,” but later acknowledged the error, explaining that during a backend permission overhaul in February 2026, public project chat access was inadvertently re-enabled. The company blamed HackerOne’s triage team for misclassifying the issue, asserting that the triage team considered “viewing chat in public projects” an intended behavior and thus closed the report. Lovable, which claims a valuation of $6.6 billion, counts Uber, Zendesk, and Deutsche Telekom among its customers. (Source: BlockBeats)
Lovable API vulnerability allows unauthorized access to source code and AI chat histories
KuCoinFlashShare
Summary
A vulnerability report from MetaEra reveals a BOLA flaw in the AI + crypto news platform Lovable, enabling free users to access source code, database credentials, and chat histories. The issue was reported via HackerOne on March 3, 2026, and remained unpatched for 48 days. A researcher demonstrated access to a project by the Danish nonprofit Connected Women in AI, exposing the full source code and sensitive data. Lovable initially dismissed the report as intended design, later acknowledging the error and blaming HackerOne’s triage team.
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information.
Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.