By rssfeeds-admin Security researchers warn that the flaw affects projects created before November 2025, potentially leaking source code, credentials, and user information.
The issue was publicly disclosed by security researcher @weezerOSINT on X (formerly Twitter).
According to the report, any user with a free Lovable account can exploit the vulnerability to access private data belonging to other users.
Despite being reported to the company 48 days ago, the flaw remains unpatched for older projects after being marked as a duplicate issue.
At the core of the problem is an inconsistent API security implementation. Lovable appears to have fixed the issue for newly created projects, but failed to apply the same protections to legacy projects.
The researcher demonstrated that API responses differ based on when a project was created. Projects built recently, such as in April 2026, correctly return a “403 Forbidden” response when unauthorized access is attempted.
However, projects created before November 2025 return a “200 OK” response, effectively granting unrestricted access to sensitive project data.
This flaw is particularly concerning because it impacts even actively maintained projects. In one example, a project updated just 10 days ago with thousands of edits was still fully exposed due to its older creation date.
The scope of exposed data significantly increases the severity of the vulnerability. Attackers exploiting this flaw can access the complete project source code, administrative panels, database credentials, and infrastructure secrets.
In addition, customer data and sensitive user information may also be compromised.
One of the most alarming aspects is the exposure of AI conversation histories. These logs often contain detailed technical discussions between developers and the AI assistant, including database schemas and backend logic.
In a demonstrated case, the researcher accessed the admin panel of a Danish nonprofit organization, revealing chat logs that exposed user data structures, including email addresses and names.
The impact is not limited to small developers. The disclosure indicates that employees from major technology companies such as Nvidia, Microsoft, Uber, and Spotify have accounts on the platform.
If these users created internal tools or prototypes before the November 2025 cutoff, their proprietary code and credentials could now be publicly accessible.
Despite the widespread exposure and potential risks, Lovable has yet to release a comprehensive fix for affected legacy projects.
The incident highlights the dangers of incomplete security patches and underscores the importance of consistent protection across all user environments.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Lovable AI App Builder Reportedly Exposes Thousands of Project Data via API Flaw appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.