On April 20, a security researcher who goes by the handle @weezerOSINT on X claimed the vibe-coding platform Lovable AI suffered a data breach that allowed the source code, credentials, chat history, and even customer data from projects to be accessed by other users.
Lovable responded on X by denying that a breach had occurred, saying, "We were made aware of concerns regarding the visibility of chat messages and code on Lovable projects with public visibility settings. To be clear: We did not suffer a data breach.”
Now, three days after its initial statement, the company appears to be walking back that position in a recent blog post released yesterday, saying that it fixed the issue within two hours of the report on April 20.
“On April 20, a security researcher publicly reported that data within public Lovable projects could be accessed by any authenticated user. We shipped a fix within two hours, but both our product and initial external response missed the mark. We owe you a clearer accounting of what happened, why it happened, and what we’re doing about it,” it said.
“Private projects and Lovable Cloud were never impacted. Between February 3, 2026, and April 20, 2026, public project chat history and source code could potentially be accessed by any Lovable user, provided they had a project link.”
So, what really happened?
The vibe-coding company admitted that users were indeed able to access details such as chat history and source code in public projects. “In February 2026, backend regressions re-enabled public access to chat history and source code on public projects,” the company said.
They explained that this was an accident caused by a technical regression on their end. The company also added, “Our first public response was dismissive and failed to acknowledge the real concern.”
In the early days of the platform, the company said it allowed full visibility into public projects to lean into the idea of “community and discovery" because vibe coding was still a fairly unknown concept at the time. In 2025, the company said it “deliberately removed that access based on user feedback,” protections that a backend regression accidentally restored in February 2026, according to Lovable.
It appears other researchers were aware of the issue and reported it through HackerOne, a platform that connects organizations with cybersecurity researchers. But multiple reports were closed instead of being escalated; even Lovable itself acknowledged this in its blog post.
“Researchers filed multiple valid reports about this issue… but these were closed instead of being escalated to Lovable,” the company said.
According to the company, the reason this happened was “based on internal static documentation and context we had provided to our HackerOne partners, which still described public project chat visibility as intended behavior.” The company further stated that it is “updating all program documentation and retraining our HackerOne triage team on Lovable’s current permission model.” Beyond this immediate fix, it also plans to restructure its escalation workflow.
A representative for the company also told Techloy it was “finalizing its analysis to determine the number of affected public projects and is proactively reaching out to affected users.”
Ogbonda Chivumnovu
