A serious security issue has been discovered in Lovable, a popular AI-based development platform used to build applications. The vulnerability is reportedly exposing sensitive data from thousands of user projects created before November 2025.
The flaw is a Broken Object Level Authorization (BOLA) vulnerability, which allows unauthorized users to access data that does not belong to them. In this case, it means that free-tier users could potentially access other users’ project data through backend API calls without proper permission checks.
BOLA issues are considered one of the most dangerous API security flaws and are ranked number one in the OWASP API Security Top 10 list due to how common and easy they are to exploit.
According to security research shared by a researcher known as @weezerOSINT, the vulnerability affects an API endpoint that returns full project data
This includes:
- Source code of applications
- AI chat histories
- Internal AI reasoning logs
- Tool usage records
- Database credentials and API keys
- User IDs and session data
The exposed information comes from JSON responses that were never meant to be publicly accessible.
The issue was reportedly reported to Lovable through the HackerOne bug bounty program around 48 days before public disclosure. The report was marked as a duplicate of a previously submitted issue, suggesting that the platform may have already been aware of the vulnerability.
Despite this, researchers claim that the issue still affects older projects created before November 2025. Projects created after that date appear to have received a partial fix.
Security researchers have found examples of sensitive exposure in real projects. One affected case reportedly involved a nonprofit organization, Connected Women in AI, where database credentials and user data stored in Supabase were exposed.
Other findings suggest that individuals linked to companies such as Accenture Denmark and Copenhagen Business School were present in exposed datasets. There are also reports that employees from companies like Nvidia, Microsoft, Uber, and Spotify may have been affected through project-linked accounts.
Lovable has responded to the reports and said it does not consider this a data breach.
The company said it was made aware of concerns regarding visibility of chat messages and code in projects with public visibility settings. According to Lovable, the issue is related to how “public” projects were defined within the platform rather than an external breach.
Lovable clarified that chat messages in public projects were previously visible, but this has now been changed and is no longer possible. However, it said that code visibility in public projects was intentional and part of the platform’s design, even though it had experimented with different ways of showing build history.
The company also admitted that its documentation around what “public” meant was unclear and called it a failure on their part.
For enterprise users, Lovable confirmed that the option to set new projects to public has been disabled since May 25, 2025.
While a partial fix appears to be in place for new projects, legacy projects created before November 2025 remain a concern. This leaves a large window of exposure for older users of the platform.
Security researchers are warning users to immediately rotate any API keys, database credentials, and secrets stored in Lovable projects. They also recommend assuming that older chat histories and source code may have already been accessed.
