Vibe Coding’s Security Crisis: 48 Days of Exposed Projects
Lovable, the $6.6 billion vibe coding platform with eight million users, left thousands of projects exposed for 48 days.
A broken object-level authorization vulnerability in Lovable’s API allowed anyone with a free account to access another user’s profile, public projects, source code, and database credentials in as few as five API calls.
The researcher reported it on March 3. Lovable patched it for new projects but never fixed it for existing ones. Marked a follow-up report as a duplicate. Closed it.
This wasn’t a sophisticated hack. It was a basic API vulnerability. And Lovable knew about it for 48 days before the public found out.
What Was Exposed
The April incident affected projects created before November 2025. The researcher demonstrated that extracting source code from Lovable’s API also yielded hardcoded Supabase database credentials.
One affected project belonged to Connected Women in AI, a Danish nonprofit. Its exposed data contained real user records including names, job titles, LinkedIn profiles, and Stripe customer IDs — linked to individuals at Accenture Denmark and Copenhagen Business School.
Employees at Nvidia, Microsoft, Uber, and Spotify reportedly have Lovable accounts tied to affected projects.
In February, a tech entrepreneur found 16 vulnerabilities, six critical, in a single app hosted on Lovable. The most severe was inverted authentication logic that granted anonymous users full access while blocking authenticated users. The app exposed 18,697 user records including 4,538 student accounts from UC Berkeley and UC Davis — with minors likely on the platform. His support ticket was closed without a response.
The Vibe Coding Security Crisis
Lovable is not uniquely insecure. It is representatively insecure.
A first-quarter 2026 assessment of more than 200 vibe-coded applications found that 91.5% contained at least one vulnerability traceable to AI hallucination. More than 60% exposed API keys or database credentials in public repositories.
The vulnerability classes are the same across every major vibe coding platform:
- Disabled row-level security
- Hardcoded secrets
- Missing webhook verification
- Injection flaws
- Broken access controls
The Pattern Across Platforms
Bolt.new ships with row-level security off by default.
Cursor has had multiple CVEs patched, including a case-sensitivity bypass enabling persistent remote code execution.
Moltbook, a vibe-coded social network, was breached within three days of launch, exposing 1.5 million API authentication tokens and 35,000 email addresses through a misconfigured Supabase database with no row-level security.
Lovable’s Response
When the researcher went public, Lovable’s response followed a pattern that security researchers found more telling than the vulnerability itself:
- First: “We did not suffer a data breach” — called the exposed data “intentional behavior”
- Then: Blamed its own documentation — what “public” implies “was unclear”
- Then: Blamed its bug bounty partner HackerOne — reports were “closed without escalation”
- Finally: Issued a partial apology — “pointing to documentation issues alone was not enough”
Cybernews headlined its coverage: “Lovable goes on ego trip denying vulnerability, then blames others for said vulnerability.”
The Economic Incentive Problem
Lovable hit $4 million in annual recurring revenue in its first four weeks. $10 million in two months with a team of 15 people. It raised $200 million at a $1.8 billion valuation in July 2025 and $330 million at $6.6 billion in December.
Enterprise adoption of vibe coding grew 340% year over year. Non-technical user adoption surged 520%. Eighty-seven percent of Fortune 500 companies have adopted at least one vibe coding platform.
Security is a cost centre that slows both. Lovable’s handling of the March and April incidents illustrates the dynamic perfectly: a bug bounty report closed without escalation, a vulnerability affecting thousands patched for new users but not existing ones, and a public response cycling through denial, deflection, and a partial apology within a single day.
What This Means for Small Businesses
If you’re using vibe coding platforms to build your product, you are shipping code you never had a chance to secure.
As Trend Micro framed it: “The real risk of vibe coding isn’t AI writing insecure code. It’s humans shipping code they never had a chance to secure.”
Eighty-four percent surge in App Store submissions driven by vibe coding tools. Thirty-five CVEs disclosed in March alone from AI-generated code, up from six in January. Georgia Tech estimates the actual figure is five to ten times higher than what is detected.
What You Should Do Right Now
- Audit your vibe-coded applications — Assume they have vulnerabilities. Row-level security is often disabled by default.
- Rotate all credentials — If you used Lovable, assume your Supabase keys are compromised.
- Review exposed data — Check what projects were created before November 2025.
- Don’t trust the platform’s security — They closed a bug report without reading it. They blamed everyone else first.
- Get a real pentest — Automated scanners miss what human-led red teaming finds.
Until that changes, the responsibility falls on you. Test everything. Assume nothing.
Worried about your vibe-coded application?
AI agent pentesting. API vulnerability assessment. Source code audit. Row-level security testing.
I find what automated scanners miss — and what vibe coding platforms won’t tell you.
📩 DM @StackOfTruths on XFree 15-min consultation. No hard sell. Just honest answers about your AI agent security.
Leave a Reply