The disclosure has drawn attention because the alleged weakness appears to fall into one of the most serious categories of API security failures: broken object level authorisation, commonly known as BOLA. In such cases, a platform may correctly recognise that a user is logged in yet fail to verify whether that user is entitled to view a particular object, file or project. The issue is ranked as API1 in OWASP’s 2023 API Security Top 10, a position reflecting both its frequency and its potential to expose highly sensitive data with relatively little effort.
At the centre of the row is a public account by a researcher posting under the handle @weezerOSINT, who said the flaw had been reported more than six weeks before going public. According to accounts now circulating in specialist coverage, the researcher claimed that five API calls from a free account were enough to access another developer’s project data. Those claims described exposure extending beyond code to database credentials, AI conversation logs and customer information. The Register reported that the researcher said the flaw had been reported 48 days earlier and that a March 3 submission date appeared in screenshots tied to the disclosure trail.
Lovable’s public response has been narrower. The company said it had not suffered a data breach and acknowledged that its explanation of what “public” meant had been inadequate. It added that chat messages for public projects had previously been visible but said that was no longer possible. The company also maintained that code visibility in public projects was intentional and consistent with how the product was meant to work. That distinction is central to the dispute: researchers and some independent reports describe an access-control failure affecting legacy projects, while the company has sought to frame at least part of the exposure as a consequence of product settings and documentation rather than a hostile compromise.
Even with that dispute unresolved, the practical concern for users is plain. Developers working in AI-assisted environments often paste secrets into prompts, logs and debugging threads, particularly during rapid prototyping. When those conversations sit alongside source code and deployment details, a single authorisation gap can expose far more than a traditional code leak. That risk has become more acute as AI coding platforms move from toy projects into production workflows, handling customer data, payment integrations and operational infrastructure. Lovable itself has been adding enterprise-style security features and highlighted a penetration-testing partnership in March, underscoring how sharply the market is shifting towards trust, compliance and secure deployment.
The timing is awkward for a company that has been scaling quickly. Lovable was founded in 2023 and was reported to have raised $330 million in December at a $6.6 billion valuation. At the same time, the broader ecosystem of AI-generated apps has been under pressure over security standards. Lovable had already attracted attention in 2025 after cybersecurity researchers and threat analysts linked the platform to wider misuse by criminals building phishing and fraud pages, even as the company said it had introduced stronger detection and takedown measures. The latest controversy is different in nature, but it lands in a market already wrestling with whether speed-to-app can coexist with disciplined security engineering.
For Lovable users, the most pressing question is whether older projects require review, rotation of credentials and tighter visibility controls. Reports around the flaw have consistently pointed to legacy projects created before November 2025, while Lovable has said enterprise customers have not been able to set new projects to public since May 25, 2025. Those details suggest that exposure, if confirmed in full, may not be uniform across all accounts and project types. Yet they also hint at a platform that evolved its security model over time, leaving a potentially awkward inheritance problem for older workspaces.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
