CRITICAL·ai-built

Lovable — 48-day BOLA exposure on a $6.6B vibe-coding platform

Lovable, the $6.6B vibe-coding platform, left every user's source code, database credentials, and AI chat histories accessible for 48 days. Researchers scanned 1,645 Lovable-built apps and found 170 (10.3%) with vulnerable endpoints — missing Supabase RLS via hardcoded anon_key in the browser.

Victim: Lovable (vibe-coding platform; 8M users)

What happened

Security researcher Matt Palmer disclosed a Broken Object-Level Authorization (BOLA) flaw on April 20, 2026, after the bug-bounty report had been closed without escalation for 48 days. Lovable-generated apps used the Supabase public anon_key to make direct REST API calls from the browser without RLS policies, exposing source code, real names, LinkedIn profiles, and Stripe customer IDs.

Timeline

  1. Palmer files HackerOne bug-bounty report disclosing BOLA-class flaw to Lovable.

  2. Lovable closes the report without escalation; bug remains live.

  3. Palmer publishes public disclosure after 48 days of no fix; news outlets pick it up.

  4. Lovable posts on X claiming 'no data breach occurred', calling exposed data 'intentional behaviour'.

  5. Lovable shifts blame to its own documentation, then to HackerOne, then issues partial apology.

  6. Pattern across 170 of 1,645 apps confirmed; 10.3% of pre-November-2025 projects affected.

Root cause

Lovable's code generator emitted apps that used the Supabase public anon_key for direct browser-to-REST API calls without enforcing Row-Level Security policies. Without RLS, the anon_key — which ships with every client by design — allowed cross-tenant reads of arbitrary tables containing user PII, Stripe customer IDs, and project source code.

Impact

  • 170+ Lovable-built apps with 303 confirmed vulnerable endpoints (out of 1,645 scanned)
  • Real names, job titles, LinkedIn profiles, and Stripe customer IDs reachable via anonymous HTTP
  • Source code, database credentials, and AI chat histories pulled by researchers
  • 48 days of live exposure between disclosure and patch
  • Lovable's $6.6B valuation context magnified reputational damage
Would Securie have caught it?

Yes. Securie's Supabase RLS specialist + AuthAuthz (BOLA) specialist would flag the missing RLS policies on the projects table and the BOLA-vulnerable browser-to-Supabase REST calls before merge. Independently, the secret_scanner specialist would have flagged the hardcoded anon_key shipping inside the Lovable client bundle as a critical-severity finding.

Lessons

  • Never make direct browser-to-Supabase REST calls without RLS — the anon_key is public by design
  • Default-deny RLS on every table is the correct baseline; explicit allow-policies layer on top
  • Bug-bounty reports closed without escalation are a process failure — set policies for re-escalation
  • Platform marketing claims of 'security by default' must be tested by independent scanning

References