Lovable Platform Under Fire After AI-Generated App Exposes 18,000 Users’ Data
A security researcher has uncovered critical vulnerabilities in an app hosted on the AI-driven vibe-coding platform Lovable, exposing the personal data of over 18,000 users, including students and educators from top U.S. universities. Tech entrepreneur Taimur Khan identified 16 flaws six deemed critical in an unnamed app featured on Lovable’s Discover page, which had amassed over 100,000 views and 400 upvotes.
The app, designed for creating exam questions and managing grades, relied on Supabase for authentication and database management. However, due to missing security controls like row-level security (RLS) and role-based access, the AI-generated backend contained logic flaws that inverted access permissions. For example, a malformed authentication function blocked legitimate users while allowing unauthenticated attackers to access sensitive data, delete accounts, alter grades, and extract admin emails.
The exposed dataset included 14,928 unique email addresses, 4,538 student accounts, and 870 records with full personally identifiable information (PII). Users spanned K-12 institutions and universities such as UC Berkeley and UC Davis.
Khan criticized Lovable’s response after his initial report was allegedly closed without action, arguing that the platform should bear responsibility for apps it generates and promotes. Lovable’s CISO, Igor Andriushchenko, countered that the company received a "proper disclosure" only on February 26 and acted within minutes, noting that users are responsible for implementing security recommendations from pre-publish scans. He added that the vulnerable database was not hosted by Lovable and that the app’s creator is now addressing the issues.
The incident highlights broader concerns about AI-generated code, with studies like Veracode’s finding that 45% of such code contains security flaws. While vibe coding named Collins Dictionary’s Word of the Year for 2025 aims to democratize app development, critics warn that unchecked AI tools can produce functional but dangerously insecure software. Lovable has since contacted the app’s owner to mitigate the risks.
Source: https://www.theregister.com/2026/02/27/lovable_app_vulnerabilities/
Lovable Technology (MustWin, LLC) cybersecurity rating report: https://www.rankiteo.com/company/mustwin
Supabase cybersecurity rating report: https://www.rankiteo.com/company/supabase
"id": "MUSSUP1772216763",
"linkid": "mustwin, supabase",
"type": "Vulnerability",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '18,000+ (students, educators, '
'K-12 institutions, universities '
'like UC Berkeley and UC Davis)',
'industry': 'Education',
'location': 'U.S.',
'name': 'Unnamed app (Lovable platform)',
'type': 'AI-generated educational app'}],
'attack_vector': 'Misconfigured AI-generated backend (Supabase)',
'data_breach': {'data_exfiltration': 'Possible (unauthenticated access '
'allowed data extraction)',
'number_of_records_exposed': '18,000+ (14,928 unique emails, '
'4,538 student accounts, 870 '
'full PII records)',
'personally_identifiable_information': 'Yes (full PII in 870 '
'records)',
'sensitivity_of_data': 'High (PII, educational records)',
'type_of_data_compromised': ['Email addresses',
'Student accounts',
'Full PII']},
'description': 'A security researcher uncovered critical vulnerabilities in '
'an app hosted on the AI-driven *vibe-coding* platform '
'Lovable, exposing the personal data of over 18,000 users, '
'including students and educators from top U.S. universities. '
'The app, designed for creating exam questions and managing '
'grades, had logic flaws due to missing security controls like '
'row-level security (RLS) and role-based access, allowing '
'unauthenticated attackers to access sensitive data, delete '
'accounts, alter grades, and extract admin emails.',
'impact': {'brand_reputation_impact': 'Criticism of Lovable’s response and '
'responsibility for AI-generated apps',
'data_compromised': "18,000+ users' data exposed",
'identity_theft_risk': 'High (PII exposed)',
'operational_impact': 'Unauthorized access to grades, account '
'deletions, and admin email extraction',
'systems_affected': 'AI-generated app backend (Supabase)'},
'investigation_status': 'Ongoing (app owner addressing vulnerabilities)',
'lessons_learned': 'AI-generated code can introduce critical security flaws; '
'platforms like Lovable must enforce security best '
'practices for generated apps. Pre-publish scans and user '
'education are insufficient without mandatory controls.',
'post_incident_analysis': {'corrective_actions': ['App owner implementing RLS '
'and role-based access',
'Lovable contacting app '
'creator to mitigate risks'],
'root_causes': ['Missing row-level security (RLS) '
'in Supabase backend',
'Logic flaws in AI-generated '
'authentication',
'Lack of role-based access '
'controls',
'Insufficient pre-publish security '
'enforcement by Lovable']},
'recommendations': ['Implement mandatory row-level security (RLS) and '
'role-based access for AI-generated apps',
'Enforce security reviews before app publication',
'Improve incident response transparency and '
'accountability',
'Educate users on secure coding practices for '
'AI-generated backends'],
'references': [{'source': 'Security researcher Taimur Khan'}],
'response': {'communication_strategy': 'Public disclosure by security '
'researcher; Lovable’s CISO responded '
'to criticism',
'containment_measures': 'Lovable contacted the app’s owner to '
'mitigate risks',
'remediation_measures': 'App creator addressing security issues '
'(implementing RLS, role-based access)'},
'title': 'Lovable Platform Under Fire After AI-Generated App Exposes 18,000 '
'Users’ Data',
'type': 'Data Breach',
'vulnerability_exploited': 'Missing row-level security (RLS), role-based '
'access controls, and logic flaws in '
'authentication'}