Lovable AI App Builder Exposes Sensitive User Data via API Flaw

An AI system is involved as Lovable is an AI app-building platform handling AI chat histories and code projects. The event stems from the use and design of the AI system's visibility settings, which led to unauthorized access to sensitive data, including AI chat histories and customer records. This constitutes a violation of privacy and potentially breaches obligations to protect user data, which falls under harm to rights and possibly harm to individuals. Although the company denies a breach, the exposure of sensitive data due to unclear documentation and design is a realized harm. Therefore, this qualifies as an AI Incident because the AI system's use and design directly led to harm through unauthorized data exposure.

The platform is an AI app-building system, so an AI system is involved. The issue arises from the use and design of the AI system's public visibility settings, which led to unauthorized access to sensitive data including source code, credentials, and chat histories. This constitutes a violation of rights and a breach of obligations under applicable law. The harm has already occurred as demonstrated by the researcher's access and public disclosure. Although the company denies a breach, the exposure of sensitive data due to the AI system's design and unclear documentation is a direct cause of harm. Hence, this is an AI Incident.

The event explicitly involves an AI system (Lovable's vibe coding AI tool) whose malfunction (a security flaw in API authorization) directly led to unauthorized access to sensitive user data, including credentials and chat histories. This constitutes harm to users' privacy and potentially breaches legal obligations regarding data protection. The company's failure to promptly address the vulnerability and the resulting data exposure confirm realized harm. Hence, this is an AI Incident rather than a hazard or complementary information.

The event explicitly involves an AI system (Lovable's AI-powered vibe-coding platform) whose malfunction or design flaw allowed unauthorized access to sensitive user data, including chat histories and personal information. This exposure constitutes a violation of privacy rights and a breach of obligations under applicable law protecting personal data, fitting the definition of an AI Incident. Although the company denies a mass data breach, the unauthorized access and exposure of personal data have already occurred, indicating realized harm. Therefore, this event qualifies as an AI Incident rather than a hazard or complementary information.

The event involves an AI system (Lovable) that enables users to build apps by chatting with AI, and the platform's API misconfiguration led to unauthorized access to sensitive data including AI chat histories and customer information. The harm includes violations of privacy rights and exposure of intellectual property, fulfilling criteria for harm to persons and breach of rights. The AI system's malfunction (backend tweak and API authorization flaw) directly caused the incident. The exposure is not speculative but has occurred, with real data leaked and users affected. Hence, this is an AI Incident rather than a hazard or complementary information.

The Lovable AI app builder is an AI system, and the reported API flaw has led to a data breach exposing sensitive information, including source code and user credentials. This constitutes harm to intellectual property rights and user privacy, which falls under violations of rights as per the AI Incident definition. Therefore, this event qualifies as an AI Incident due to the realized harm caused by the AI system's vulnerability and its exploitation.

The event involves an AI system (Lovable, an AI-powered app builder) whose API has a security flaw allowing unauthorized access to sensitive data including AI chat histories and project source code. The harm is realized as unauthorized data exposure affecting thousands of projects and users, including organizations and individuals, which constitutes violations of rights and harm to property and communities. The AI system's malfunction (broken authorization) is the direct cause of this harm. Hence, it meets the criteria for an AI Incident rather than a hazard or complementary information.

The incident involves an AI system (Lovable's AI-coding platform) whose malfunction (a backend permissions error) directly led to unauthorized data exposure, including AI chat histories and user code. This exposure constitutes a violation of privacy and data security, harming users and organizations. The harm is realized, not just potential, and the AI system's role is pivotal as the platform's design and permission management caused the breach. Hence, it meets the criteria for an AI Incident rather than a hazard or complementary information.

The platform uses AI to build applications via conversational interfaces, making chat histories integral to the system. The exposure of chat data and related sensitive information due to a technical error and unclear design directly led to harm in terms of privacy violations and potential breaches of user rights. Although the company denies a data breach in the traditional sense, the unauthorized visibility of private chat histories and development data is a clear harm linked to the AI system's malfunction and design flaws. The company has since fixed the issue, but the event qualifies as an AI Incident because harm occurred due to the AI system's use and malfunction.

An AI system is involved as the platform hosts AI chat models and user interactions with them. The exposure of chat histories and sensitive data due to a bug in the API directly led to a violation of user privacy and data protection rights, which falls under violations of human rights or breach of applicable law protecting fundamental rights. The harm is realized as user data was accessible to unauthorized parties. Therefore, this qualifies as an AI Incident.

The event explicitly involves an AI system (the vibe coding platform generating full-stack applications from natural language prompts) whose use has directly led to multiple security incidents exposing sensitive data and user records, constituting harm to individuals and communities. The vulnerabilities stem from AI-generated code containing security flaws, and the company's failure to properly address reported issues contributed to ongoing harm. The harms include violations of privacy and data protection rights, which fall under violations of human rights and legal obligations. The detailed description of realized harm and direct causation by the AI system's outputs confirms classification as an AI Incident rather than a hazard or complementary information.

The event involves an AI system (Lovable's AI coding platform) whose malfunction (a security vulnerability) directly led to unauthorized access to sensitive data, including source code and credentials, which is a violation of intellectual property rights and user privacy. This fits the definition of an AI Incident because the AI system's malfunction caused harm (data breach and exposure of confidential information). Although the company initially denied a breach, the researcher and experts confirm unauthorized access occurred. The company's subsequent fix and explanation are complementary information but do not negate the incident classification.

The AI coding platform Lovable qualifies as an AI system because it is an AI coding platform, implying AI involvement in code generation or assistance. The security flaw allowed unauthorized access to sensitive data, which is a direct harm to property and user rights. The incident involves the AI system's malfunction (permission handling error) leading to realized harm. Hence, this event meets the criteria for an AI Incident.

The event involves an AI system (Lovable's AI chat product) whose use led to unauthorized access to user data, constituting harm to users' privacy and potentially violating data protection rights. The incident is a realized harm caused indirectly by the AI system's design and operational shortcomings, meeting the criteria for an AI Incident. The company's response and apology are complementary but do not change the classification of the original event as an incident.

The event involves an AI system (Lovable AI's vibe-coding platform) whose malfunction (a backend regression) led to unauthorized access to sensitive data including source code, credentials, chat history, and customer data. This unauthorized access constitutes a breach of obligations under applicable law protecting intellectual property and privacy rights, fulfilling the criteria for an AI Incident. The company's initial denial and subsequent acknowledgment, along with the data exposure, confirm that harm occurred. Therefore, this is classified as an AI Incident.