February 27, 2026

Vibes over safety? Class dismissed

Article URL →HN comments →

Vibe coded Lovable-hosted app littered with basic flaws exposed 18K users

Community roasts 'vibe apps' as clout-first, safety-last

TLDR: A Lovable-hosted, AI-built app reportedly leaked data for 18,000+ teachers and students after a simple security mix-up, and the bug report was allegedly closed. Commenters split between blaming the platform for lax safeguards and arguing these mistakes plague human-built apps too—and want clearer labels and guardrails

The vibes just went sour. After entrepreneur Taimur Khan said he found 16 bugs (six critical) in a Lovable-hosted, AI-built school app that allegedly exposed data for 18,000+ teachers and students, the comments lit up. The alleged twist: logins were flipped—logged-in users got blocked while strangers waltzed in. Khan claims his support ticket got closed without a reply, and that’s where the community snapped.

Users are rattled that apps on Lovable’s glossy Discover page can look legit while missing basic safeguards. One camp is furious at the platform: “If you market ‘production-ready’ with login included, you own the fallout.” Another is spooked as users—as carlgreene put it, you can’t tell what’s AI-coded, and it’s a “scary time” to try new apps. Meanwhile, devs like ch4s3 wonder if all their scanners and checklists are real defense or just security theater.

Not everyone is pinning this solely on AI. As julianlam quips, this kind of backwards login bug is the kind a human makes after forgetting a “not” sign—so the real problem, they argue, is shipping without a human review. But others clap back that Lovable courts non‑devs with look‑alike, pastel demo apps—“clout-coded,” joked one poster—so the platform needs guardrails by default. With Veracode saying nearly half of AI code has flaws and “vibe coding” now a buzzword, commenters demand labels for AI-built apps, platform-level safety switches, and a real security check before anything is showcased.

Key Points

  • A Lovable-hosted app had 16 vulnerabilities, including six critical, exposing 18,697 user records.
  • The app’s backend used Supabase; missing row-level security and role-based access led to flawed authorization.
  • A malformed authentication function inverted logic, allowing unauthenticated access and blocking authenticated users.
  • Exposed data included 14,928 unique emails, 4,538 student accounts, 10,505 enterprise users, and 870 with full PII.
  • Khan urged Lovable to assume security responsibility; his support ticket was closed without response.

Hottest takes

"Vibe coding democratized shipping without democratizing the accountability" — melecas
"their core users wouldn't understand a security flow if it flashed red" — firefoxd
"Actually sounds like a typical mistake a human developer would make" — julianlam

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.