Vibe coding platform Lovable has been accused of hosting an app riddled with vulnerabilities after saying users are responsible for addressing security issues reported to them before they are published.
Taimur Khan, a technology entrepreneur with a background in software engineering, said he found 16 vulnerabilities in a single app hosted by Lovable that compromised the data of more than 18,000 people, six of which were critical.
He declined to name the app during the disclosure process, but the app is hosted on Lovable’s platform and featured on its Discover page. At the time Khan began her research, the app had more than 100,000 views and about 400 upvotes.
The main issue, Khan said, is that all apps vibecoded on Lovable’s platform ship with Supabase on the backend, which handles authentication, file storage, and real-time updates via a PostgreSQL database connection.
However, if the developer (in this case the AI) or the human project owner fails to explicitly implement critical security features such as Supabase’s row-level security and role-based access, the result is code that appears to work but is actually flawed.
An example of this was a malformed authentication function. The AI that vibecoded the Supabase backend with remote procedure calls implemented flawed access control logic that essentially blocked authenticated users and allowed access to unauthenticated users.
Khan said the intent was to block non-administrators from accessing parts of the app, but said the implementation was flawed, resulting in all logged-in users being blocked and errors occurring repeatedly across multiple critical functions.
“This is a throwback,” Khan said. “Guards block people who should be allowed and allow people who should be blocked. A classic logical inversion that a human security reviewer would spot in seconds, but an AI code generator that optimizes and deploys ‘working code’ into production.”
Since the app itself is a platform for creating exam questions and displaying grades, the user base will naturally consist of teachers and students. Khan said some were from top US universities such as the University of California, Berkeley and the University of California, Davis, but “there were also K-12 institutions where minors were more likely to participate on the platform.”
If a security flaw exists, an unauthenticated attacker could, for example, easily access all user records, send mass emails through the platform, delete user accounts, grade student test submissions, and access an organization’s administrator emails.
Of the 18,697 total exposed user records, 14,928 contained unique email addresses. The dataset included 4,538 student accounts (all with email addresses), 10,505 corporate users, and 870 users whose complete PII was exposed.
The security flaws here are not limited to apps hosted by Lovable. This problem is more widespread and well known by now.
Collins Dictionary’s 2025 Word of the Year, Vibe Coding promised to break the steep learning curve of software development and help nimble developers bring their app ideas to life.
But when AI isn’t generating sloppy bug reports in pursuit of lucrative bug bounties or catastrophically ignoring instructions, it can churn out flashy apps laden with vulnerabilities.
For example, Veracode recently found that 45% of AI-generated code contains security flaws. register In the last few months.
Khan said he believes Lovable should be held responsible for the security of the apps it hosts, and was particularly upset that after reporting his findings through the company’s support, he was told his ticket was closed without a response.
“If Lovable intends to market itself as a platform for producing production-ready apps that ‘include’ authentication, then it will assume some responsibility for the security posture of the apps it produces and promotes,” Khan said.
“You can’t publish an app to 100,000 people, host it on your own infrastructure, and close a ticket when someone tells you that user data has been compromised. At the very least, a basic security scan of the published application should pick up all the important findings included in this report.”
adorable story register The company said it has contacted the owners of the apps in question and “takes these types of findings very seriously.”
Regarding the closed ticket, Lovable CISO Igor Andriushchenko said the company received the “appropriate disclosure report” on the evening of February 26 and acted on the results “within minutes.”
“Projects built with Lovable include a free security scan before publication,” Andreushchenko said. register. “This scan will check for vulnerabilities and, if found, provide recommendations on actions to take to resolve them before publication.
“Ultimately, it is at the user’s discretion whether or not to implement these recommendations, which in this case did not occur.
“This project also contains code that is not generated by Lovable, and the vulnerable database is not hosted by Lovable. We are in contact with the app’s author and are currently working on this issue.” ®
