Lovable App Exposes 18,000 Users: The Vibe Coding Security Crisis Nobody Saw Coming

A single Lovable -showcased app had 16 security vulnerabilities — 6 critical — leaking data from students at UC Berkeley, UC Davis, and K-12 schools. Here is what went wrong, and what it means for anyone building with AI. What Happened On February 27, 2026, The Register reported that security researcher Taimur Khan discovered 16 vulnerabilities in a single app hosted on Lovable's platform — an AI-powered EdTech tool featured on Lovable's own Discover page with over 100,000 views. The app, built to create AI-generated exams and grade student submissions, exposed 18,697 user records to anyone with a browser and cURL. No login required. Among the exposed data: 14,928 unique email addresses 4,538 student accounts — all with email addresses 10,505 enterprise users 870 users with full PII exposed Users from UC Berkeley, UC Davis , schools in Sweden, Spain, Belgium, Nigeria, Malaysia, the Philippines K-12 institutions with minors likely on the platform This was not some obscure side project.