Rewards Hub A critical vulnerability in Lovable's API has been disclosed, allowing unauthorized access to users' project source code and AI chat histories. Security researcher @weezerOSINT revealed that the Object-Level Authorization Bypass (BOLA) flaw enables any free account to exploit API calls to access sensitive data, including database credentials. The issue, reported on March 3, 2026, remains unpatched after 48 days, affecting older projects while newer ones are protected.
During a demonstration, the researcher accessed a project from the Danish nonprofit Connected Women in AI, exposing its admin panel source code and developer conversations. Lovable initially dismissed the issue as a design feature but later admitted it was an error from a backend overhaul. The company criticized HackerOne's triage team for misclassifying the vulnerability. Lovable, valued at $6.6 billion, serves major clients like Uber and Deutsche Telekom.
Lovable API Vulnerability Exposes Source Code and AI Chat Histories
Disclaimer: The content provided on Phemex News is for informational purposes only. We do not guarantee the quality, accuracy, or completeness of the information sourced from third-party articles. The content on this page does not constitute financial or investment advice. We strongly encourage you to conduct you own research and consult with a qualified financial advisor before making any investment decisions.