A serious security issue is raising concerns in the AI development space as the Lovable API vulnerability exposes sensitive project data through a broken authorization mechanism.
Lovable is reportedly affected by a critical Broken Object Level Authorization flaw that allows unauthorized users to access project data belonging to other users. The issue impacts thousands of projects created before November 2025 and exposes highly sensitive information, including source code, database credentials, AI chat histories, and real user data.
The vulnerability falls under OWASP’s top ranked API security risks, where systems fail to verify whether a user has permission to access specific data objects. In this case, researchers found that any free tier account could send API requests to retrieve project data without proper authentication checks.
According to findings shared by researcher @weezerOSINT, the affected endpoint returns detailed JSON responses containing user identifiers, session logs, and internal AI reasoning chains. These records were not intended for public access but can reportedly be retrieved due to insufficient access controls.
The Lovable API vulnerability was initially reported through HackerOne nearly seven weeks before public disclosure. While the platform appears to have addressed the issue for newly created projects, legacy projects remain exposed, creating a prolonged risk window for early users of the platform.
Security analysis revealed particularly concerning cases, including exposure of database credentials and user records from real world applications. Some of the affected data is linked to organizations and individuals associated with companies such as Accenture, Nvidia, Microsoft, Uber, and Spotify, raising concerns about potential exposure of corporate development environments.
The issue has been categorized as a duplicate report on HackerOne, suggesting it may have been previously identified. However, researchers indicate that the vulnerability remains exploitable in older project environments, highlighting gaps in remediation for legacy data.
The Lovable API vulnerability underscores a broader challenge in rapidly evolving AI development platforms, where security controls may not always keep pace with feature expansion. Early adopters of such platforms often face increased exposure when vulnerabilities are discovered after deployment.
Security experts are urging affected users to rotate all API keys, database credentials, and secrets associated with projects created before November 2025. Organizations are also advised to implement independent secrets management practices and regularly audit API access to prevent unauthorized data exposure.
The Lovable API vulnerability highlights the critical importance of robust access control mechanisms in modern application architectures. As AI driven development platforms continue to gain adoption, ensuring secure by design principles will be essential to protecting user data and maintaining trust in the ecosystem.
Recommended Cyber Technology News :
- Inditex Confirms Contractor Breach as ShinyHunters Targets Zara
- Amtrak Data Appears in HIBP After ShinyHunters Breach Claims
- Mirai Attacks Target TP-Link Routers via CVE-2023-33538
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
