Lovable, the AI-powered development platform valued at $6.6 billion, has become a poster child for the "vibe coding" movement—a shift toward building software using natural language and high-level intent rather than manual syntax. But the platform’s meteoric rise among its eight million users is being shadowed by a series of security failures. Three documented incidents have recently exposed sensitive source code, database credentials, and thousands of user records, raising questions about whether the speed of generative AI is outpacing basic infrastructure safety.
The most recent lapse involved a Broken Object Level Authorization (BOLA) vulnerability that remained open for 48 days. Despite a bug bounty report flagging the issue, the company reportedly closed the ticket without escalation, leaving thousands of projects vulnerable to unauthorized access. This oversight suggests a disconnect between the polished, intuitive interface of AI-assisted coding and the rigorous, often invisible labor required to secure the resulting backend.
This "vibe coding" security crisis reflects a broader systemic risk. When software is generated through conversational prompts, the abstraction layer can obscure traditional security checkpoints. As platforms like Lovable lower the barrier to entry for app creation, they also create a massive, centralized surface area for exploitation. If the industry fails to reconcile its "move fast" ethos with the essential discipline of database security, the democratization of coding may come at a steep cost to user privacy.
With reporting from The Next Web.
Source · The Next Web
