Lovable's Security Crisis: 48 Days of Unaddressed Vulnerabilities
Lovable, the $6.6 billion vibe coding platform with eight million users, has faced a series of security incidents revealing critical weaknesses in its system. These include exposure of source code, database credentials, and thousands of user records. The most recent incident, which lasted for 48 days without resolution, highlights a deeper structural problem within the vibe coding industry.
Summary:
In April 2026, security researchers disclosed a critical vulnerability in Lovable's API, allowing unauthorized access to user profiles and projects. This issue was reported through their bug bounty program on March 3rd but was never fully addressed. The platform patched the flaw for new projects but left existing ones vulnerable.
Lovable initially downplayed the incident, stating that the exposed data was "intentional behavior" and blaming documentation issues. However, they later issued a partial apology, acknowledging that their response was inadequate. This episode is emblematic of broader challenges within vibe coding, where:
- 40-62% of AI-generated code contains vulnerabilities.
- 91.5% of vibe-coded apps had AI hallucination-related flaws in Q1 2026.
- 60% of all new code is projected to be AI-generated by the end of the year.
The recent incident affected projects created before November 2025, exposing data from organizations like Connected Women in AI, including sensitive information on individuals associated with prominent companies like Accenture Denmark and Copenhagen Business School. Even employees from tech giants such as Nvidia, Microsoft, Uber, and Spotify were found to have affected accounts.
This security crisis raises profound questions about the incentive structures within the vibe coding market, suggesting a need for greater emphasis on security alongside rapid development.