Lovable Platform Breach

Lovable, an artificial intelligence app-building platform, is facing scrutiny after researchers said they could access other users’ project data through the service. (economictimes.indiatimes.com) Lovable lets users build websites and apps by chatting with an artificial intelligence system, then stores prompts, generated code, and project settings inside the editor. Its own site says millions of projects have been built on the platform, and its documentation says project visibility can be set to public, workspace, or restricted. (lovable.dev, docs.lovable.dev) The immediate dispute is over what was actually exposed. Lovable told The Economic Times on April 20, 2026 that it “did not suffer a data breach” and said some visibility concerns involved projects that had been set to public, while also acknowledging its documentation around “public” had been unclear. (economictimes.indiatimes.com) A separate report published April 20, 2026 by Cyber Kendra said a researcher using the name @weezerOSINT found a broken object level authorization flaw in Lovable’s application programming interface, or application-to-application doorway, that allegedly let a free account access other users’ source code, database credentials, chat histories, and customer data. That report said the issue affected projects created before November 2025 and had been present for 48 days. (cyberkendra.com) That distinction matters because a public setting is a user-chosen sharing control, while a broken object level authorization flaw means the platform itself is handing one account another account’s data. Lovable’s own help pages say publishing a site does not by itself expose the underlying project or code, and say project access is supposed to be controlled separately. (lovable.dev, docs.lovable.dev) The company has spent much of the past year emphasizing security after earlier problems in apps built on its stack. Lovable’s security pages say it scans projects for exposed secrets and misconfigurations, offers a trust center, and routes vulnerability reports through HackerOne and security@lovable.dev. (lovable.dev, trust.lovable.dev, lovable.dev) Those earlier issues were not identical to the current claim. In June 2025, security reports tied to CVE-2025-48757 described weaknesses in row-level security, a database rule system that decides which rows each user can see, and said more than 170 Lovable-built apps were exposed through misconfigured access controls. (superblocks.com, cybersecuritynews.com) Lovable’s current security marketing also makes a broader promise that is now under pressure. Its security page says customer prompts, code, and workspace data are not used to train Lovable models, and that customer data stays in the selected region by default. (lovable.dev) For users, the practical question is whether private chats, code, and credentials stayed inside the account boundary Lovable describes in its docs. For Lovable, the next step is narrower: show whether the April 2026 claims were a visibility misunderstanding, an application programming interface authorization bug, or both. (docs.lovable.dev, economictimes.indiatimes.com, cyberkendra.com)