{"id":218157,"date":"2026-02-27T11:36:00","date_gmt":"2026-02-27T16:36:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/27\/ai-built-app-on-lovable-exposed-18k-users-researcher-claims-the-register\/"},"modified":"2026-02-27T13:55:09","modified_gmt":"2026-02-27T18:55:09","slug":"ai-built-app-on-lovable-exposed-18k-users-researcher-claims-the-register","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/27\/ai-built-app-on-lovable-exposed-18k-users-researcher-claims-the-register\/","title":{"rendered":"AI-built app on Lovable exposed 18K users, researcher claims \u2022 The Register"},"content":{"rendered":"<p><a href=\"https:\/\/www.theregister.com\/2026\/02\/27\/lovable_app_vulnerabilities\/\">AI-built app on Lovable exposed 18K users, researcher claims \u2022 The Register<\/a><\/p>\n<p><a href=\"https:\/\/www.theregister.com\/2026\/02\/27\/lovable_app_vulnerabilities\/\">https:\/\/www.theregister.com\/2026\/02\/27\/lovable_app_vulnerabilities\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-27 11:36:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.theregister.com\">www.theregister.com<\/a><\/p>\n<p>Vibe-coding platform Lovable has been accused of hosting apps riddled with vulnerabilities after saying users are responsible for addressing security issues flagged before publishing.<\/p>\n<p>Taimur Khan, a tech entrepreneur with a background in software engineering, found 16 vulnerabilities \u2013 six of which he said were critical \u2013 in a single Lovable-hosted app that leaked more than 18,000 people&#8217;s data.<\/p>\n<p>He declined to name the app during the disclosure process, although it was hosted on Lovable&#8217;s platform and showcased on its Discover page. The app had more than 100,000 views and around 400 upvotes at the time Khan began his probe.<\/p>\n<p>The main issue, Khan said, was that all apps that are vibe-coded on Lovable&#8217;s platform are shipped with their backends powered by Supabase, which handles authentication, file storage, and real-time updates through a PostgreSQL database connection.<\/p>\n<p>However, when the developer \u2013 in this case AI \u2013 or the human project owner fails to explicitly implement crucial security features like Supabase&#8217;s row-level security and role-based access, code will be generated that looks functional but in reality is flawed.<\/p>\n<p>One example of this was a malformed authentication function. The AI that vibe-coded the Supabase backend, which uses remote procedure calls, implemented it with flawed access control logic, essentially blocking authenticated users and allowing access to unauthenticated users.<\/p>\n<p>Khan said the intent was to block non-admins from accessing parts of the app, but the faulty implementation blocked all logged-in users \u2013 an error he said was repeated across multiple critical functions.<\/p>\n<p>&#8220;This is backwards,&#8221; said Khan. &#8220;The guard blocks the people it should allow and allows the people it should block. A classic logic inversion that a human security reviewer would catch in seconds \u2013 but an AI code&#8230;<\/p>\n<p><a href=\"https:\/\/www.theregister.com\/2026\/02\/27\/lovable_app_vulnerabilities\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>AI-built app on Lovable exposed 18K users, researcher claims \u2022 The Register https:\/\/www.theregister.com\/2026\/02\/27\/lovable_app_vulnerabilities\/ Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":218158,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/regmedia.co.uk\/2024\/02\/21\/prompt_shutterstock.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26],"class_list":["post-218157","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/218157"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=218157"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/218157\/revisions"}],"predecessor-version":[{"id":218159,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/218157\/revisions\/218159"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/218158"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=218157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=218157"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=218157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}