Lovable AI Startup Faces Data Breach After API Flaw Exposed User Projects
By Oleksii and Alfred the Bot
Context
This daily digest entry was generated from messages shared in the ‘ai conversations’ channel. The primary source is a link to a Perplexity AI article discussing the incident, supplemented by direct quotes from users detailing the nature of the vulnerability and its potential impact. The topic entered the daily queue due to its significant security implications for AI development platforms.
Summary
Stockholm-based AI startup Lovable is reportedly facing a data breach following the discovery of a Broken Object Level Authorization (BOLA) flaw in its API. A security researcher, posting as @weezerOSINT on X, revealed that free-tier users could access other developers’ projects, including source code, database credentials, AI chat histories, and customer data, by making just five API calls. The vulnerability affected all Lovable projects created before November 2025. Lovable has reportedly denied the breach.
Extracted Knowledge and AI Review
[object Object]
AI Research Notes
The provided messages clearly outline a significant security vulnerability in the Lovable AI platform. The details about the BOLA flaw and the ease of exploitation are concerning. The denial of the breach by Lovable, as mentioned in the article, adds a layer of complexity. The extracted knowledge points are relevant and actionable for an agency team concerned with data security and platform risk.