- An app designed by Lovable included 6 critical vulnerabilities and 10 others
- 170 of 1,645 Lovable apps have critical flaws
- The AI code may look good and work, but it may not be secure
Vibe coding platform Lovable has been accused of hosting insecure applications after security researcher Taimur Khan discovered that an application presented by Lovable (EdTech) contained 16 vulnerabilities, including six critical ones.
Khan explained how the app exposed more than 18,000 user records, including teachers and students from major universities and schools.
Due to faulty access controls, anyone could view all user data, delete accounts, change credit balances, send mass emails, and access courses and grades without logging in.
The vulnerability of an application presented by Lovable affected more than 18,000 people
According to Khan, the main bug was a simple logical error. “Logic says: if you are a logged in user, deny access,” he wrote. The bug “could have slipped through AI code generation without proper review,” he wrote, indicating that a human reviewer likely would have detected (or not even introduced in the first place) such an error.
The AI-generated backend code appeared fully functional, but it had not been configured securely.
Although this report only concerns one Lovable app, Khan is concerned that similar errors could occur more widely. “A security researcher analyzed 1,645 apps built with Lovable and found that 170 of them had critical flaws,” Khan wrote.
He described AI-generated code as a “risk”, not a “shortcut”, criticizing vibe code for creating output that looks correct, executes successfully and returns neat user interfaces without necessarily being secure.
Additionally, Khan introduced the concept of “vibe hacking,” where less technically-minded hackers are able to exploit AI-generated code under the assumption that “AI-generated code defaults to functionality over security.”
Recognizing the role of vibe coding in the industry, he called for platforms like Lovable to analyze applications and create stronger security defaults in AI-generated code. Developers should implement appropriate security reviews and remember that just because the code works, it may not be secure.
“Any project built with Lovable includes a free security scan before publishing,” a Lovable spokesperson added (via The register), admitting that the implementation of Lovable’s recommendations is at the discretion of the developer.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
