Vibe-coding platform Lovable is facing criticism after a security researcher disclosed a Broken Object Level Authorization (BOLA) vulnerability that allowed any free account holder to access other users' source code, database credentials, AI chat histories, and customer data. The researcher reported the flaw 48 days prior via HackerOne, but it was closed as a duplicate without escalation. Lovable's response shifted multiple times: first calling the exposure 'intentional behavior,' then blaming unclear documentation, and finally admitting a backend permissions regression in February 2026 accidentally re-enabled access to public project chats. The company ultimately blamed HackerOne for misclassifying the report. The incident highlights a pattern of AI startups deflecting responsibility for security flaws.
Sort: