Pipeline run for this draft

Source post

Lovable, the AI app builder with millions of users, has a mass data breach affecting every project created before their patch in November 2025. Any free account can access other users' source code, database credentials, AI chat histories, and real customer data through five unauthenticated API calls. The bug was reported 48 days ago on HackerOne. It's still open. Here's the breakdown: > The vulnerability is Broken Object Level Authorization. Lovable's API verifies Firebase auth tokens but never checks whether the requesting user actually owns the project. Any authenticated user can query any project. > @weezerOsint created a free account today and accessed another user's full source tree, including an admin panel built for Connected Women in AI, a real Danish nonprofit. The project was last edited 10 days ago with 3,703 edits this year. This is active work. > The source code contained hardcoded Supabase credentials (SUPABASE_URL, SUPABASE_PUBLISHABLE_KEY, SUPABASE_SERVICE_ROLE_KEY). The developer queried the database and got back real names, real companies, real LinkedIn profiles. Speakers from Accenture Denmark and Copenhagen Business School. Not test data. > Affected endpoints include /projects/{id}/*, /git/files, /git/file, and /documents. All return 200 OK for pre-patch projects. > Every AI conversation is stored and accessible through the same bug. Developers discuss database schemas, paste error logs, share credentials, and walk through business logic with the AI. All of it is readable. > Lovable patched new projects but left existing ones exposed. A project created in April 2026 returns 403 Forbidden. The same developer's older project, same API, same endpoint, same free account, same session, returns 200 OK with the full source tree. > The first HackerOne report (#3583821) was filed March 3, 2026. Lovable triaged it, shipped ownership checks for new projects, and left every existing project wide open. 48 days later, nothing has changed. > Employees from Nvidia, Microsoft, Uber, and Spotify all have Lovable accounts. The exposure is not limited to hobby projects.