Vetted by NeuralPress's Multi-Agent Verifier for strict factual validity and event relevance. Our compliance engine cross-checks and filters search results to ensure zero false correlations or misleading content.
Timeline of the Security Incident
Key dates leading up to the public disclosure of the security flaw
Primary Sources
Lovable vibesplains vulnerability to researcher, says it's actually ...
At first, Lovable stated that it hadn't suffered a data breach and simply blamed documentation, but later admitted the uncovered flaw - curiously blaming its bug bounty partner, HackerOne.
Lovable Hacked: API Flaw Exposes Thousands of Projects on the Lovable ...
Home/News/Lovable Hacked: API FlawBreaking NewsApril 21, 2026·12 min readA security researcher posting as @weezerOSINT on X showed that a Lovable API flaw let any free Lovable account read source code, AI chat histories and database credentials belonging to other users. Lovable denies data was breached. The follow-up apology concedes a February 2026 backend change accidentally turned chat access back on for public projects, and that the HackerOne bug report sat as a duplicate submission for 48 days.5API calls from a free account48 daysHackerOne report sat unpatched1.1MViews on the X disclosure$6.6BLovable valuation (Dec 2025)Executive SummaryOn April 20, 2026, @weezerOSINT on X demonstrated a Lovable API flaw that gave unauthorized users access to data belonging to other users across thousands of projects, reaching source code, AI chat histories, and database credentials with five API calls from a free account.The vulnerability is a textbook case of Broken Object Level Authorization (BOLA), the top-ranked issue on OWASP's API Security Top 10. Every project created before november 2025 was in scope.The bug was disclosed via HackerOne on March 3, 2026, about 48 days ago. Lovable's HackerOne partners marked it as a duplicate and left it open.Lovable denies data was breached, calling the situation “unclear documentation.” The follow-up apology admits a February 2026 backend regression opened up access to chats on public projects.If you ship on a cloud AI coding tool, rotate every API key and password you have pasted into a chat. Elephas keeps the chat on your Mac, so a regression on someone else's server can't leak your sensitive data.This is the story of how a $6.6 billion valuation AI app builder, where Nvidia, Microsoft, Uber and Spotify employees hold personal accounts, let a free-tier account walk out with other developer's projects, chat history and Supabase credentials. The company's first move was to call it a documentation problem.It's also a story about where your chat history lives, and why the cybersecurity risk has moved from your app's frontend to the conversations you have with your tools.Security Researcher @weezerOSINT on X Exposes the Lovable API FlawOn April 20, 2026, an OSINT analyst posting as @weezerOSINT on X published a short security disclosure. He opened a fresh Lovable account the same day. He fired five API calls. From a free account, he was able to access another user's full project, reading the project's source tree, chat history,...
Lovable API Exposes User Data: Urgent Security Alert for AI-Dev Teams
A critical Broken Object Level Authorization (BOLA) vulnerability in Lovable's API allowed free accounts to access other users' source code and sensitive data. This urgent disclosure, reported 48 days ago, highlights significant security gaps in AI-assisted development platforms.
Lovable AI App Builder Hit by Reported API Flaw Exposing ... - GBHackers
The popular AI application builder, Lovable, is currently facing a massive data breach due to an unpatched API vulnerability. Security researchers have revealed that a critical flaw exposes sensitive project data, source code, and user credentials for any project created on the platform before November 2025.
