Lovable AI Startup Faces Data Breach After API Flaw
By Oleksii and Alfred the Bot
Context
This daily was generated from messages in the ‘ai conversations’ channel. Ayuif4ygu3fxdkufcrr7z19wec shared a link to a Perplexity.ai article discussing a data breach at the AI startup Lovable. The messages explain that a security researcher found an API flaw allowing unauthorized access to project data. This entered the daily queue due to the significant security implications for an AI startup.
Summary
The AI app-building startup Lovable is reportedly facing a data breach following the discovery of a critical API flaw. A security researcher, posting as @weezerOSINT on X, revealed that a Broken Object Level Authorization (BOLA) vulnerability affected all projects created before November 2025. This flaw allowed any free-tier user to access sensitive data, including source code, database credentials, AI chat histories, and customer data from thousands of projects, with as few as five API calls from a free account.
Extracted Knowledge and AI Review
[object Object]
AI Research Notes
The provided messages clearly articulate a significant security vulnerability in an AI startup’s API. The explanation of the BOLA flaw and its potential impact is well-defined. The summary accurately reflects the core issue and the source article’s content. The extracted knowledge points to relevant implications, risks, and actions for an agency team.