Lovable App Hacked via Claude, Exposing 18,000 Users as Support Ticket Closed

The breach was uncovered when a security researcher, who goes by “I vibe,” used Claude‑generated code to probe an EdTech demo that Lovable — the $6.6 billion low‑code platform that touts customer success stories on its homepage — had highlighted as a flagship example. Within a few hours the researcher identified 16 vulnerabilities, six of which were classified as critical, and demonstrated that the app’s authentication logic was inverted: logged‑in users were blocked while anonymous requests slipped straight through (according to the researcher’s report). The flaw allowed anyone to pull the entire user directory without a token, exposing 18,697 records that included names, email addresses and role designations.

Beyond the data dump, the insecure API endpoints gave unauthenticated callers the power to delete accounts, alter student grades, and fire bulk‑email campaigns with a single request. The researcher also confirmed that enterprise‑level organization data from 14 institutions—spanning universities in California and schools across Europe, Africa and Asia—was accessible via the same loophole. All of these actions required no credentials, underscoring how the app’s back‑end was essentially a playground for anyone with a curl command (source: researcher’s disclosure).

When the findings were sent to Lovable’s security team, the company’s response was to close the support ticket without further public comment, according to the same source. No remediation timeline or post‑mortem was offered, and the researcher’s attempts to engage the vendor were met with a terse ticket closure. The lack of follow‑up raises questions about Lovable’s internal security review processes, especially given that the showcased app had attracted over 100 K page views and was being promoted as a model of “AI‑assisted” development.

The incident shines a spotlight on a broader risk in the low‑code market: AI‑generated code can ship quickly, but without rigorous human review it may embed fundamental security oversights. The researcher described the authentication bug as “classic AI‑generated code that ‘works’ but was never reviewed,” a sentiment echoed by industry observers who warn that the speed of model‑driven development can outpace traditional security testing (VentureBeat, AI ethics coverage). For educators and institutions that adopted the demo, the exposure of student grades and personal contact information could have compliance ramifications under regulations such as FERPA and GDPR.

In the wake of the breach, analysts are likely to scrutinize Lovable’s showcase selection criteria and its commitment to secure AI‑assisted tooling. While the company has not issued a formal statement, the episode serves as a cautionary tale: even high‑profile, AI‑enhanced applications can harbor elementary flaws that jeopardize millions of users, and a swift, transparent response is essential to maintain trust in the burgeoning low‑code ecosystem.