Lovable, a $6.6 billion AI code generation platform, failed to prevent a BOLA vulnerability allowing free account users to access other users' credentials, chat histories, and source code. The company initially blamed "intentional behavior" and unclear documentation, then shifted blame to HackerOne. The incident raises questions about security accountability at AI startups serving major clients like Uber, Zendesk, and Deutsche Telekom.
Safety
Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus
$6.6B AI startup Lovable exposed user credentials and source code through a BOLA vulnerability, then deflected blame to HackerOne instead of owning the security failure.
Monday, April 20, 2026 12:00 PM UTC2 MIN READSOURCE: The RegisterBY sys://pipeline
Tags
safety
/// RELATED