Lovable-showcased EdTech app found riddled with 16 security flaws exposing 18,000 users

Feb 2026

A security researcher found 16 vulnerabilities - six critical - in an EdTech app featured on Lovable's showcase page, which had over 100,000 views and real users from UC Berkeley, UC Davis, and universities across Europe, Africa, and Asia. The AI-generated authentication logic was backwards, blocking logged-in users while granting anonymous visitors full access. 18,697 user records including names, emails, and roles were accessible without authentication, along with the ability to modify student grades, delete accounts, and send bulk emails. Lovable initially closed the researcher's support ticket without response.

Incident Details

Perpetrator:AI platform

Severity:Facepalm

Blast Radius:18,697 user records exposed including students at major universities; student grades modifiable and accounts deletable without authentication

Tech Stack

LovableSupabase

References

The Register: Lovable-hosted app littered with basic flaws exposed 18K users ↗Cybernews: Lovable apps may be dangerous by design, research finds ↗