The $6.6 Billion BOLA

The $6.6 Billion BOLA

Alissa Knight

What Lovable's 48-Day Exposure Tells Us About the Collapsing Economics of Human Penetration Testing

On March 3, 2026, an independent security researcher named Matt Palmer filed HackerOne report #3583821 against Lovable, the AI app builder valued at $6.6 billion and used by Uber, Zendesk, and Deutsche Telekom. The report documented a Broken Object Level Authorization flaw allowing any free-tier account to enumerate other users' source code, database credentials, AI chat histories, and customer data through five API calls.

The report was closed without escalation. Forty-eight days later, on April 20, 2026, Palmer went public. The vulnerability was still exploitable on every project created before November 2025.

I have spent twenty-six years breaking APIs. I was a contributor to the 2024 OWASP API Security Top 10. I breached fifty banks and cryptocurrency exchanges in my Scorched Earth research through exactly this class of flaw within a week. And I am telling you directly:

The Lovable incident is not a Lovable problem. It is the cleanest empirical proof yet that the pace of AI-generated code has permanently outrun the economics of human penetration testing.

What Actually Happened

The technical anatomy is simple enough to diagram on a napkin. Lovable's API verifies a Firebase auth token and then never checks whether the authenticated user owns the project they are querying. A project created in April 2026 returns 403 Forbidden. The same developer's older project — same API, same endpoint, same free account, same session — returns 200 OK with the full source tree.

The affected endpoints were /projects/{id}/*, /git/files, /git/file, and /documents. Every one of them serves the full project payload to any authenticated caller who knows a project ID. One demonstrated target was a live admin panel built for Connected Women in AI, a Danish nonprofit. Last edited ten days before disclosure. 3,703 edits this year. Active, in-production work. Hardcoded Supabase credentials — SUPABASE_URL, SUPABASE_PUBLISHABLE_KEY, SUPABASE_SERVICE_ROLE_KEY — sitting inside the exposed source tree. Behind those keys: real names, job titles, LinkedIn profiles, and Stripe customer IDs belonging to individuals at Accenture Denmark and Copenhagen Business School. Employees of Nvidia, Microsoft, Uber, and Spotify also have Lovable accounts tied to affected projects.

This is not a hobby-project problem.

Lovable's public response cycled through three positions in a single afternoon: first the company denied a breach and called the exposed data "intentional behavior," then blamed its own documentation, then blamed HackerOne for closing the report. The company later acknowledged that a February 2026 backend change "accidentally re-enabled access to chats on public projects." That admission matters. It tells you the vulnerability was reintroduced by a routine refactor, and nothing in the company's testing pipeline caught it for two months.

Why This Is Not an Outlier

BOLA has been ranked number one on the OWASP API Security Top 10 since 2019 and held that position through the 2023 edition. It accounts for approximately forty percent of all API attacks. It is the flaw behind the 2016 Uber breach, the 2018 Facebook breach, the 2024 Trello breach, and the 2024 Dell incident that exposed forty-nine million customer records. The technique has not changed. The defense has not changed. What has changed is the volume of code shipping with the flaw baked in.

Gartner forecasts that sixty percent of all new code will be AI-generated by the end of 2026. GitHub already reports that forty-six percent of new code is AI-generated today. Y Combinator's Winter 2025 cohort reported that twenty-one percent of startups have codebases that are ninety-one percent or more machine-written. And the empirical findings on that code are remarkably consistent across independent studies:

  • Veracode's analysis of over four million code scans found that forty-five percent of AI-generated code samples contain OWASP Top 10 vulnerabilities, with no measurable improvement across multiple testing cycles from 2025 through early 2026.

  • A 470-PR analysis by CodeRabbit found AI-co-authored code produces security vulnerabilities at 2.74 times the rate of human-written code.

  • A first-quarter 2026 assessment of more than 200 vibe-coded applications found that 91.5 percent contained at least one vulnerability traceable to AI hallucination.

  • A production scan of 5,600 vibe-coded applications by Escape uncovered 2,000 high-impact vulnerabilities, 400 exposed secrets, and 175 instances of PII including medical records and payment data.

  • Georgia Tech's Vibe Security Radar tracked thirty-five CVEs directly attributable to AI coding tools in March 2026 alone, up from six in January and fifteen in February. Researchers estimate the true figure is five to ten times higher across the open-source ecosystem.

  • Beesoul's audit data indicates approximately seventy percent of Lovable-built applications ship with Supabase row-level security disabled entirely.

The pattern is not that AI sometimes writes insecure code. The pattern is that AI writes OWASP Top 10 flaws — BOLA, hardcoded credentials, SSRF, XSS, SQL injection — at industrial scale, and it writes them faster than any human pipeline can review them.

The Agentic Inflection Point

The Lovable incident is a snapshot of something larger. We are entering a period in which entire application stacks are being generated, deployed, and exposed to the public internet without a single human reading the code.

Agentic coding tools — Claude Code, Cursor, Devin, Windsurf, Lovable, Bolt.new, v0 — do not write one line of code at a time. They write whole services, whole APIs, whole tenant models. The agents themselves call APIs to ship those services, and the services they ship are APIs. The attack surface is now bidirectional: the coding agent itself is a target (CVEs have already been disclosed against Amazon Q, Cursor, and GitHub Copilot), and every application it generates is a target. Researchers at Pillar Security have already demonstrated a "rules file backdoor" attack that injects malicious instructions into configuration files used by Cursor and GitHub Copilot, turning autonomous coding tools into remotely controlled malware delivery platforms.

Three factors compound:

Speed. Lovable hit $4 million ARR in its first four weeks. Apps ship in hours. Vulnerabilities are live before a scheduled pentest could even be scoped.

Scale. Eighty-seven percent of Fortune 500 companies have adopted at least one vibe-coding platform. Enterprise adoption grew 340 percent year over year.

Blind spots. The people shipping this code are not, for the most part, security engineers. They cannot read the generated code to spot the BOLA. They cannot audit the Supabase policies they never wrote. They cannot tell whether their Firebase token check is sufficient, because they do not know what sufficient looks like.

When the platform itself is the vulnerability, every tenant is exposed — and every downstream customer after that.

Why Human-Speed Penetration Testing Cannot Solve This

I want to be precise about what I am saying, because I know the pushback. I am not arguing that human penetration testers are obsolete. I spent my career as one. Elite human testers still matter — for novel logic flaws, for adversarial simulation at the organizational level, for the judgment calls that machines are not yet ready to make.

What I am arguing is that the human-speed model, as the default assurance mechanism for application security, is mathematically over.

Consider the math. The traditional engagement model is a point-in-time assessment — typically two weeks of testing per year for a given application. That leaves ninety-five percent of the calendar untested. Attackers are not waiting for your next annual pentest; they are operating continuously, at machine speed. The National Vulnerability Database logged more than 29,000 new CVEs in 2024, a 38 percent year-over-year increase. The gap between when a vulnerability ships and when a human tester finds it is now measured in months, while the gap between when it ships and when an attacker finds it is measured in hours.

Now layer on the volume. If sixty percent of new code is AI-generated, and forty-five percent of that code carries an OWASP Top 10 flaw, then the delta between what is built and what can be humanly tested is not closing. It is widening by orders of magnitude every quarter.

The Lovable incident itself is the proof. A single tester, operating at human speed through a human-managed bug bounty program, filed the report on March 3. By the time Lovable acted, forty-eight days of exposure had passed. During that window, a motivated attacker operating autonomously could have enumerated every pre-November-2025 project on the platform. The vulnerability was not complex. It did not require a zero-day. It required five API calls and persistence — the exact pattern an autonomous agent executes better than any human.

Why This Validates Autonomous Red Teaming — and Why We Built Ares

This is the problem we built Ares to solve.

Ares is an autonomous multi-agent red teaming platform purpose-built for APIs, web applications, and mobile applications. It is powered by Dagger, our proprietary 14-billion-parameter model fine-tuned on offensive security data. It does not run a checklist. It reasons about a target the way I do — enumerate the surface, hypothesize the ownership model, test the authorization boundary at every endpoint, chain findings into validated exploits, and produce a reproducible proof of exploitation.

Our agent roster is structured deliberately around this problem. Polemos orchestrates the engagement. Hermes reasons about APIs. Enyo hunts web apps. Momos handles SAST and Dolos handles DAST. Themis, Aletheia, and Argus validate every finding through real exploitation, because a finding without validation is a ticket nobody will triage, which is exactly how the Lovable report got closed. Kratos executes the attack chain.

A BOLA like Lovable's is the canonical case Ares is designed for. The agent authenticates, enumerates project IDs, varies the object identifier across the authenticated session, compares responses between new and legacy objects, and produces a reproducible proof -- not a maybe, not a theoretical finding, but a validated exploit a developer can remediate against. And it does this continuously, at the pace the codebase actually ships, not at the pace a human consultant can be scheduled.

Let me say the quiet part out loud.

The Lovable incident is not an argument for better bug bounty triage — although that would also help. It is an argument for testing every API, every web app, and every mobile app continuously, autonomously, and at machine speed, because that is the pace at which the code is being written and the pace at which attackers are operating.

Anything slower is a structural bet that your exposure window will stay short enough to not matter. Lovable made that bet. It lost in forty-eight days.

The next major breach will not need a zero-day. A free account and five API calls will do it. The only defense that matches the economics of AI-generated code is an offense that matches its speed.

That is the thesis Ares was built on. The Lovable incident just made it impossible to argue against.

Sign up for an Ares account today at https://ares.assailai.com

Bibliography

All URLs verified as of April 22, 2026.


  1. Lyons, Jessica. "Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus." The Register, April 20, 2026. https://www.theregister.com/2026/04/20/lovable_denies_data_leak/

  2. Steffens Herrera, Allison. "Lovable left thousands of projects exposed for 48 days, and the vibe coding security crisis is only getting worse." The Next Web, April 21, 2026. https://thenextweb.com/news/lovable-vibe-coding-security-crisis-exposed

  3. "Lovable flaw exposed source code, credentials and AI chats." Computing, April 21, 2026. https://www.computing.co.uk/news/2026/security/lovable-flaw-exposed-source-code-credentials-and-ai-chats

  4. "Lovable AI App Builder Reportedly Exposes Thousands of Projects Data via API Flaw." Cyber Security News, April 20, 2026. https://cybersecuritynews.com/lovable-ai-app-builder-customer-data/

  5. "Lovable AI App Builder Hit by Reported API Flaw Exposing Thousands of Projects." GBHackers, April 21, 2026. https://gbhackers.com/lovable-ai-app-builder-hit-by-reported-api-flaw/

  6. "Is Your Code Safe? Lovable AI Fixes Vulnerability That Leaked Database Credentials." Techloy, April 21, 2026. https://www.techloy.com/is-your-code-safe-lovable-ai-fixes-vulnerability-that-leaked-database-credentials/

  7. Poireault, Kevin. "Security Researchers Sound the Alarm on Vulnerabilities in AI-Generated Code." Infosecurity Magazine, March 26, 2026. https://www.infosecurity-magazine.com/news/ai-generated-code-vulnerabilities/

  8. "Vibe Coding's Security Debt: The AI-Generated CVE Surge." Cloud Security Alliance Research Labs, 2026. https://labs.cloudsecurityalliance.org/research/csa-research-note-ai-generated-code-vulnerability-surge-2026/

  9. Zhao, Hanqing, et al. "Vibe Security Radar." Systems Software & Security Lab (SSLab), Georgia Institute of Technology School of Cybersecurity and Privacy. https://vibe-radar-ten.vercel.app/ and https://github.com/HQ1995/vibe-security-radar

  10. "OWASP Top 10 API Security Risks – 2023." OWASP Foundation. https://owasp.org/API-Security/editions/2023/en/0x11-t10/

  11. "OWASP API Security Top 10 Explained." Salt Security. https://salt.security/blog/owasp-api-security-top-10-explained

  12. "OWASP API Security Top 10 Risks." Wiz Academy. https://www.wiz.io/academy/api-security/owasp-api-security

  13. "A1:2023 – Broken Object Level Authorization." OWASP Foundation. https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/

  14. "Vibe coding." Wikipedia. https://en.wikipedia.org/wiki/Vibe_coding

  15. "Vibe Coding Security Risks: Enterprise Guide 2026." BeyondScale. https://beyondscale.tech/blog/vibe-coding-security-risks-enterprise

  16. "AI Generated Code Vulnerabilities: 7 Security Risks in 2026." VibeCoding.app, March 22, 2026. https://vibecoding.app/blog/ai-generated-code-security-risks

  17. "Vibe Coding Security Risks: What Founders Need to Know (2026)." Modall. https://modall.ca/blog/vibe-coding-security-risks

  18. "The state of vibe coding in 2026: Adoption won, now what?" Hashnode, February 26, 2026. https://hashnode.com/blog/state-of-vibe-coding-2026

  19. "Why Offensive Security Is Moving to AI-Driven Autonomous Testing." FireCompass, February 13, 2026. https://firecompass.com/the-ai-shift-in-offensive-security-from-manual-to-autonomous-agents-2026/

  20. @weezerOSINT (Matt Palmer), X posts of April 20, 2026, documenting HackerOne report #3583821 and the exploitation chain against Lovable's API. https://x.com/weezerOSINT

  21. Lovable official responses, X, April 20, 2026. https://x.com/Lovable


Alissa Knight is the Founder, CEO, and Chief AI Officer of Assail, Inc., the venture-backed autonomous offensive security company behind Ares, the multi-agent red teaming platform for APIs, web applications, and mobile applications. She is a contributing author to the 2024 OWASP API Security Top 10, author of Hacking Connected Cars (Wiley), and has spent twenty-six years breaking APIs for a living.

We use cookies to improve your experience. By continuing, you agree to our cookie policy.