Lovable, a vibe-coding platform valued at $6.6 billion, has been embroiled in controversy after a researcher claimed a security flaw allowed access via a free account to other users’ source code, database credentials and AI chat histories, The Register reported on Sunday.

A researcher who uses the handle @weezerOSINT on X said, "By creating a free account and calling the API only 5 times, I accessed other users' profiles, public projects and source code, and extracted database credentials from the source code." The flaw is a broken object level authorisation (BOLA) issue in which an API exposes other users' data without verifying ownership.

The researcher said he reported the flaw 48 days ago but Lovable treated it as a "duplicate submission" and left it unaddressed. He later reported it to bug bounty service HackerOne.

According to The Register, Lovable's explanations on the matter have continued to change. It initially said there was "no data breach" and described the exposure of chats in public projects as "intended by design." It later said "documentation was unclear," then later shifted responsibility by saying HackerOne viewed access to public project chats as intended behaviour and did not escalate the report. That means HackerOne did not deem it a security issue and did not request an urgent fix from Lovable's development team.

Lovable later explained the sequence of events in an official statement. It said it switched the default to private across all tiers in December 2025, but access to public project chats was mistakenly re-enabled in February 2026 during backend permission consolidation work.

Lovable said, "HackerOne partners determined that viewing public project chats was intended behaviour and closed the report without escalation," adding that it rolled back the change immediately after discovering the issue and switched all public project chats back to private.