Endearing security crisis: 48 days of uncovered projects, unresolved bug reports, and the systemic breakdown of vibe coding security.

      Summary: Lovable, a vibe coding platform valued at $6.6 billion and boasting eight million users, has encountered three confirmed security breaches that revealed source code, database credentials, and numerous user records. The latest incident involved a BOLA vulnerability that remained unaddressed for 48 days after a bug bounty report was closed without further action. These issues highlight a systemic problem within vibe coding, where 40-62% of AI-generated code possesses vulnerabilities, and a significant 91.5% of vibe-coded applications exhibited at least one flaw related to AI hallucinations in Q1 2026. At a time when it is anticipated that 60% of new code will be AI-produced by year-end, the market's incentive structure favors expansion over security.

      Over the past two months, Lovable has dealt with security incidents that compromised source code, database credentials, AI chat histories, and personal information of thousands of users from projects on its platform. The most recent breach, reported by a security researcher on April 20, unveiled a broken object-level authorization flaw in Lovable’s API that permitted anyone with a free account to access another user's profile, public projects, source code, and database credentials within just five API calls. The researcher notified Lovable’s bug bounty program on March 3, and while the company applied a fix for new projects, it failed to address the existing ones, marking follow-up reports as duplicates and closing them. This vulnerability remained uncorrected for 48 days.

      Lovable's reaction exhibited a pattern deemed more revealing by security researchers than the vulnerability itself. Initially, the company stated on X that it "did not suffer a data breach," labeling the exposed information as “intentional behavior.” It then attributed the issue to its own documentation, claiming that the interpretation of “public” was ambiguous. Following that, it blamed its bug bounty partner HackerOne, explaining that reports were "closed without escalation because our HackerOne partners believed that accessing public project chats was the intended behavior." Later that day, Lovable issued a partial apology, conceding that merely pointing to documentation issues was insufficient. Cybernews captured the situation with the headline: “Lovable goes on ego trip denying vulnerability, then blames others for said vulnerability.”

      What was revealed

      The incident in April affected projects established before November 2025. The researcher demonstrated that retrieving a user's source code via Lovable’s API also exposed hardcoded Supabase database credentials within that code. One compromised project belonged to Connected Women in AI, a Danish nonprofit, with its exposed data including actual user records such as names, job titles, LinkedIn profiles, and Stripe customer IDs linked to individuals at Accenture Denmark and Copenhagen Business School. Reports indicate that employees from Nvidia, Microsoft, Uber, and Spotify have Lovable accounts associated with exposed projects.

      Latest developments from the EU tech landscape include insights from our founder Boris and some questionable AI-generated art. Subscribe now for weekly updates in your inbox! This marked the third documented security incident for the platform. In February, Taimur Khan, a tech entrepreneur, discovered 16 vulnerabilities, six critical, in a single application hosted on Lovable that appeared on its Discover page and received over 100,000 views. The most serious flaw involved inverted authentication logic that allowed anonymous users total access while restricting authenticated users. This AI-driven EdTech application compromised 18,697 user records, including 4,538 student accounts from institutions like UC Berkeley and UC Davis, potentially involving minors. Khan reported these findings to Lovable’s support channel, but his ticket was closed without any response.

      An earlier assessment conducted in May 2025 revealed that 170 out of 1,645 sampled applications built on Lovable had vulnerabilities that permitted unauthorized access to personal information. Nearly 70% of Lovable applications completely lacked row-level security.

      The structural issue

      Lovable’s insecurity is not an isolated case; it reflects broader vulnerabilities in the industry. The platform generates full-stack applications utilizing React, Tailwind, and Supabase based on natural language prompts, a process termed vibe coding, coined by Andrej Karpathy in February 2025. This method allows users to describe an application that an AI model constructs without writing or reviewing code. The Collins English Dictionary recognized it as the Word of the Year for 2025. According to Gartner, by the end of this year, it’s expected that 60% of all newly developed code will be AI-generated.

      The security statistics across this field are consistent. Between 40% and 62% of AI-generated code contains security flaws, contingent on the study. Code produced by AI exhibits vulnerabilities at a rate 2.74 times higher than that of human-written code, as revealed by an analysis of 470 GitHub pull requests. A review in Q1 2026 of over 200 vibe-coded applications indicated that 91.5% had at least one vulnerability connected to AI hallucinations. More than 60% had exposed