A serious authorization vulnerability in the platform Lovable, a popular AI-powered app builder, has allowed unauthorized users to access sensitive data from numerous projects. According to reports, this critical flaw, classified as Broken Object Level Authorization, affects all projects created before November 2025, exposing confidential information that includes source code, database credentials, and customer interaction logs.
Change your passwords now
This vulnerability occurs when an API grants access to objects without verifying whether the requesting user actually has the authorization to view them. Recent investigations have revealed that users with free accounts can make unauthenticated API calls to the platform and retrieve data from other users’ projects. Among the exposed information, database credentials and customer data have been found, linking organizations such as Connected Women in AI and Accenture, as well as employees of Nvidia and Microsoft.
The problem was reported to Lovable through HackerOne approximately 48 days before its public disclosure on March 3, 2026, but a patch has still not been implemented for older projects. Although the platform has applied fixes for new projects, the risk for existing applications remains critical, leaving many users vulnerable.
Experts warn users of old projects that they should urgently change their API keys and credentials, assuming that their information may have already been compromised. This situation highlights a recurring challenge in AI-native development platforms: security measures are often insufficient compared to the rapid deployment of new features, leaving early adopters of these technologies in a dangerous position.