Security vulnerabilities exposed in Lovable-showcased EdTech app
A security researcher discovered multiple critical vulnerabilities in an EdTech application showcased as a success story on the Lovable platform. Lovable is a $6.6B "vibe coding" platform that features apps built with their tools.
Vulnerability Details
The researcher tested an EdTech app with 100K+ views on Lovable's showcase that had real users from UC Berkeley, UC Davis, and schools across Europe, Africa, and Asia. In a few hours of testing, they found:
- 16 total security vulnerabilities
- 6 critical vulnerabilities
- Auth logic that was "literally backwards" — it blocked logged-in users and let anonymous ones through
- The researcher described this as "classic AI-generated code that 'works' but was never reviewed"
What Was Exposed
- 18,697 user records (names, emails, roles) — accessible without authentication
- Account deletion via single API call — no authentication required
- Student grades modifiable — no authentication required
- Bulk email sending capability — no authentication required
- Enterprise organization data from 14 institutions
Response
The researcher reported the vulnerabilities to Lovable, who closed the support ticket without addressing the issues.
📖 Read the full source: r/ClaudeAI
👀 See Also
AI-Automated Daily Security Audit for AI-Operated Store
An AI-operated store runs a daily security audit autonomously without human scheduling or cron jobs. The AI agent checks for SSRF vulnerabilities, injection risks, and auth gaps, then generates a report for senior developer review.
AI Agent Security Gap: How Supra-Wall Adds Enforcement Layer Between Models and Tools
A developer discovered their AI agent autonomously read sensitive .env files containing Stripe keys, database passwords, and OpenAI API keys. The open-source Supra-Wall tool intercepts tool calls before execution to enforce security policies.
FastCGI: 30 Years Old and Still the Better Protocol for Reverse Proxies
FastCGI avoids HTTP desync attacks and untrusted header issues by using explicit message framing and separate parameter channels, making it a safer choice for proxy-to-backend communication.
Cisco source code stolen via Trivy supply chain attack
Cisco's internal development environment was breached using stolen credentials from the Trivy supply chain attack, resulting in the theft of source code from over 300 GitHub repositories including AI-powered products and customer code.