ADVERTISEMENT

Lovable goes on ego trip denying vulnerability, then blames others for said vulnerability

Vibecoding platform Lovable has admitted a serious flaw in its service after, bizarrely, first denying the vulnerability and blaming the alleged misunderstanding on unclear documentation and design. Then it threw HackerOne, the bug-bounty service, under the bus.

lovable-scandal

Image by Cybernews.

Gintaras Radauskas
Gintaras Radauskas Senior Journalist
Apr 21, 2026 Updated: 21 April 2026 4 min read

No hacking needed to trigger the bug

Jurgita Lapienyte justinasv Izabele Pukenaite vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Add us as your Preferred Source on Google.

Prompts and source code are visible intentionally

Check if your data has been leaked

Find out if your email, phone number or related personal information might have fallen into the wrong hands.
18,611,353,922
Breached accounts
36,030
Breached websites
ADVERTISEMENT

An apology and some finger-pointing

The company apparently did nothing because HackerOne believed that seeing public projects’ chats was the intended behavior, although it’s hard to be surprised, since that’s exactly how Lovable has marketed its product historically.

ADVERTISEMENT