RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: supabase (1 article)Clear
breach
2026-04-23

Lovable 'vibe coding' platform exposed source code, Supabase credentials, and AI chat history for 76 days via missing ownership check in API

Security researcher @weezerOSINT disclosed on April 20 that Lovable, the Swedish AI code-generation platform that just raised a $330M Series B at a $6.6B valuation, had a Broken Object Level Authorization flaw letting any free account read another user's project source code, hardcoded database credentials, AI chat transcripts, and customer data - using only five API calls. The /projects/{id}/* endpoints verified Firebase authentication but skipped any ownership check. On April 23 Lovable published a formal incident report admitting the exposure window ran February 3 to April 20, a full 76 days, caused by a backend regression that silently undid a fix shipped in 2025. Every Lovable project created before November 2025 was readable. The researcher demonstrated the impact by pulling source code from Connected Women in AI, a Danish nonprofit with over 3,700 edits in 2026 alone, extracting hardcoded Supabase credentials from that code, then querying the live database to retrieve real names, LinkedIn profiles, and Stripe customer IDs belonging to Accenture Denmark and Copenhagen Business School staff. Lovable's initial public response was to deny a breach occurred and blame its documentation and HackerOne triage partner before eventually apologizing.

lovablevibe-codingbolasupabaseauthorizationai-dev-platformdata-exposure
Check
If your team or any staff member has ever built anything on Lovable (including experimental internal tools, prototypes, and hackathon projects) treat every secret that was ever in a Lovable project or chat as potentially public.
Affected
Any Lovable project created before November 2025 was readable by any other Lovable user between February 3 and April 20, 2026. That includes source code (which Lovable commonly generates with hardcoded Supabase anon keys and service role keys), AI chat histories (which often contain pasted API keys and config values), and any customer data stored in the project's connected Supabase database.
Fix
Rotate every Supabase anon key and service role key associated with any project you ever built on Lovable, plus any third-party API key that was ever pasted into a Lovable app, chat, or prompt - Stripe, Resend, SendGrid, OpenAI, Anthropic, and so on. Enable Row Level Security on every table in every connected Supabase project and review each policy by hand. Pull the last 90 days of Supabase audit logs and search for anomalous reads. Export and archive anything you need out of Lovable, remove sensitive values from chat history, and watch for Lovable's direct email notifying affected projects. For EU personal data, open the GDPR breach notification process.