Lovable: Public Project Visibility Removed

Background: The April 2026 Security Incident

On April 20, 2026, a security researcher publicly disclosed a broken object-level authorization (BOLA) vulnerability in Lovable's API. The flaw allowed any authenticated user — including those on a free account — to access the source code, database credentials, AI chat histories, and customer data of other users' public projects in as few as five API calls.

The vulnerability was traced to a backend regression introduced in February 2026, when Lovable unified its permissions layer and accidentally re-enabled access to chat histories on public projects — undoing security protections deliberately built throughout 2025. The regression went undetected for 48 days before public disclosure. A fix was deployed within two hours of the April 20 disclosure.

Lovable's initial response drew significant criticism: the company first characterized the exposed data as "intentional behaviour," then attributed the confusion to unclear documentation, and eventually acknowledged the mistake in a formal apology. CEO Anton Osika later stated: "I take accountability."

What Changed on April 22, 2026

Two days after the vulnerability was patched, Lovable made a permanent product decision: the "public" project visibility tier was removed entirely.

Public visibility no longer exists. As of April 22, 2026, it is no longer possible to create a public project on Lovable. All projects previously set to "public" were automatically migrated to workspace visibility. The sole exception: Lovable's own official remixable templates, which retained their public status.

The new visibility model has two tiers:

• Workspace (default for all plans): All workspace members and invited collaborators can view, remix, or edit the project based on their assigned role.
• Restricted (Business and Enterprise plans only): Only the project owner and explicitly invited collaborators can access the project; other workspace members have no visibility.

Impact on Users

For developers who used public projects to build portfolios, share work, or enable community remixing, this change is immediately breaking. Projects that were publicly discoverable via a link are now inaccessible outside the workspace. Users who relied on Lovable's "public" tier for open sharing need to either invite collaborators explicitly or publish their apps to an external URL.

Lovable communicated directly with affected project owners whose projects were converted, giving them the opportunity to adjust visibility settings within the new framework.

The Broader Signal

The incident and Lovable's handling of it became a flashpoint in discussions about the security posture of AI-assisted development platforms. The speed at which vibe-coding tools enable rapid app creation amplifies the consequences when the platform mishandles permission models — particularly for projects that may contain database credentials, API keys embedded in chat context, or sensitive customer data. Lovable's decision to permanently remove public visibility — rather than rebuild it with stricter guardrails — reflects a deliberate trade-off: reducing the platform's attack surface at the cost of an open-sharing use case.