Vibe Coding Upstart Lovable Denies Data Leak, Cites 'Intentional Behavior,' Then Throws HackerOne Under the Bus

AI‑driven coding platforms have surged in popularity, promising faster development cycles for enterprises like Uber, Zendesk, and Deutsche Telekom. Lovable, a high‑profile startup with a $6.6 billion valuation, illustrates the double‑edged sword of rapid innovation: while its vibe‑coding engine accelerates code generation, inadequate access controls can turn a productivity tool into a data‑leak conduit. The recent BOLA vulnerability exposed not only source code but also embedded database credentials, highlighting how API design flaws can cascade into severe confidentiality breaches.

The technical root of the issue lay in missing ownership validation on Lovable’s project‑level endpoints. By simply issuing five API calls from a free account, a researcher accessed another user’s public project, extracted source files, and retrieved hard‑coded secrets. Compounding the problem, Lovable’s documentation ambiguously described the "public" setting, and the company’s bug‑bounty partner, HackerOne, classified the report as a duplicate, preventing internal escalation. This chain of missteps underscores the importance of clear security documentation and rigorous triage processes within third‑party disclosure programs.

For the broader AI‑coding market, the incident serves as a cautionary tale. Enterprises increasingly rely on such tools for mission‑critical code, making robust access controls and transparent vulnerability handling non‑negotiable. Companies must adopt private‑by‑default defaults, enforce strict object‑level authorization, and maintain accountable bug‑bounty workflows. Lovable’s swift patch and policy shift are steps in the right direction, but rebuilding client confidence will require demonstrable security maturity and ongoing third‑party audits.