Security vulnerabilities exposed in Lovable-showcased EdTech app

A security researcher discovered multiple critical vulnerabilities in an EdTech application showcased as a success story on the Lovable platform. Lovable is a $6.6B "vibe coding" platform that features apps built with their tools.

Vulnerability Details

The researcher tested an EdTech app with 100K+ views on Lovable's showcase that had real users from UC Berkeley, UC Davis, and schools across Europe, Africa, and Asia. In a few hours of testing, they found:

• 16 total security vulnerabilities
• 6 critical vulnerabilities
• Auth logic that was "literally backwards" — it blocked logged-in users and let anonymous ones through
• The researcher described this as "classic AI-generated code that 'works' but was never reviewed"

What Was Exposed

• 18,697 user records (names, emails, roles) — accessible without authentication
• Account deletion via single API call — no authentication required
• Student grades modifiable — no authentication required
• Bulk email sending capability — no authentication required
• Enterprise organization data from 14 institutions

Response

The researcher reported the vulnerabilities to Lovable, who closed the support ticket without addressing the issues.