- A Lovable-built app included 6 critical vulnerabilities and 10 more
- 170 of Lovable’s 1,645 apps were found to have critical errors
- AI code may look and work right, but it may not be secure
Vibe coding platform Lovable has been accused of hosting insecure apps after security researcher Taimur Khan found a Lovable featured app (EdTech) containing 16 vulnerabilities, six of which are critical.
Khan outlined how the app exposed more than 18,000 user records, including teachers and students from major universities and schools.
Because of the flawed access controls, anyone could view all user data, delete accounts, change credit balances, send bulk emails, and access courses and grade assignments without actually logging in.
App vulnerability showcased loved affected 18,000+
According to Khan, the core flaw was a simple logical error. “Logic says: if you are a logged in user, deny access,” he wrote. The bug “may have slipped through AI code generation without proper review,” he wrote, indicating that a human reviewer likely would have caught (or not even introduced) such a bug in the first place.
The AI-generated backend code looked fully functional, but it had not been securely configured.
Although this report concerns only one Lovable app, Khan worries that similar mistakes could happen more widely. “A security researcher scanned 1,645 apps built with Lovable and found that 170 of them had critical flaws,” Khan wrote.
He described AI-generated code as a “risk,” not a “shortcut,” and criticized vibe code for creating output that looks correct, executes successfully, and returns polished-looking user interfaces without necessarily being secure.
In addition, Khan introduced the concept of ‘vibe-hacking’, where less technically minded hackers are able to exploit AI-generated code on the basis that “AI-generated code defaults to functionality over security.”
Acknowledging the role of vibe coding in the industry, he called for platforms like Lovable to scan apps and build stronger security standards into AI-generated code. Developers should implement proper security reviews and remember that just because code works, it may not be secure.
“Every project built with Lovable includes a free security scan before publishing,” added a Lovable spokesperson (via The register), and acknowledges that implementing Lovable’s recommendations is at the developer’s discretion.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
