Lovable has published a formal incident report admitting that a backend regression it introduced in February 2026 re-exposed the chat histories and source code of public projects to any authenticated user, undoing security protections the company had deliberately built throughout 2025. The exposure window ran from February 3 to April 20, 2026 — 76 days.
The incident came to light after security researcher @weezerOSINT published a thread on April 20 demonstrating that five API calls from a free account were enough to pull another user's full source code, hardcoded database credentials, and complete AI conversation history.
The researcher accessed a live admin panel for a Danish nonprofit, extracted Supabase credentials from the source code, and queried real personal data — names, LinkedIn profiles, and Stripe customer IDs — belonging to professionals who had no idea their information was reachable.
In its blog post, co-signed by co-founders Anton and Fabian, Lovable acknowledged the full chain of failures. The company had previously removed public access to project chat histories by March 2025, extended private-by-default to all tiers in November 2025, and patched its API retroactively.
Then, in February 2026, a backend unification effort accidentally reversed all of that. "A backend regression reintroduced access to chat histories on public projects — undoing protections we had deliberately put in place," the company admitted.
The HackerOne failure compounded it. Multiple researchers filed valid reports starting February 22, 2026. Everyone was closed without escalation — because Lovable's own triage documentation, shared with its HackerOne partners, still described public chat visibility as intended behavior. "We are responsible for equipping them with accurate, up-to-date information," Lovable said. "We fell short."
Lovable's first public response on X — calling it a documentation issue and denying a breach — drew sharp criticism, and the company acknowledged it directly: "Our first public response was dismissive and failed to acknowledge the real concern."
The fix shipped within two hours of public disclosure. Lovable is now converting all historical public projects to private, retaining only its official remixable templates. It is also reviewing logs to identify which public projects were accessed by non-owners during the 76-day window and will notify affected project owners directly.
Private projects and Lovable Cloud were never impacted.
If you had public projects on Lovable before April 20:
- Expect a direct email from Lovable if your project was accessed by another user.
- Rotate any database credentials — especially Supabase keys — that appeared in your source code or chat history.
- Audit AI chat sessions for any credentials, API keys, or sensitive business data shared mid-build.