- One Lovable-built app included 6 critical vulnerabilities, and 10 more
- 170 of Lovable’s 1,645 apps were found with critical flaws
- AI code might look right and function, but it might not be secure
Vibe coding platform Lovable has been accused of hosting insecure apps after security researcher Taimur Khan found one Lovable-showcased app (EdTech) to contain 16 vulnerabilities, six of which critical.
Khan outlined how the app exposed more than 18,000 user records, including teachers and students from major universities and schools.
Due to the faulty access controls, anyone could view all user data, delete accounts, change credit balances, send bulk emails and access courses and grade submissions without actually logging in.
According to Khan, the core bug was a simple logic error. “The logic says: if you’re a logged-in user, deny access,” he wrote. The bug “might have slipped through AI code generation without proper review,” he wrote, indicating that a human reviewer would likely have caught (or not even introduced in the first place) such an error.
The AI-generated backend code looked entirely functional, however it had not been securely configured.
Though this report only relates to one Lovable app, Khan worries that similar mistakes could happen more broadly. “A security researcher scanned 1,645 apps built with Lovable and found 170 of them had critical flaws,” Khan wrote.
He described AI-generated code as a “risk,” not a “shortcut,” criticizing vibe code for creating output that looks correct, executes successfully and returns polished-looking user interfaces without necessarily being secure.
Additionally, Khan introduced the concept of ‘vibe hacking’, whereby less technically-minded hackers are able to exploit AI-generated code on the basis that “AI-generated code defaults to functionality over security.”
Acknowledging vibe coding’s role in the industry, he called for platforms like Lovable to scan apps and build stronger security defaults into AI-generated code. Developers should implement proper security reviews and remember that, just because code works, it might not be secure.
“Any project built with Lovable includes a free security scan before publishing,” a Lovable spokesperson added (via The Register), admitting that it’s a developer’s discretion to implement Lovable’s recommendations.
Follow TechRadar on Google News andadd us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
