CVE-2025-48757 — Lovable project-enumeration exposure
Lovable's project API exposed project metadata (name, slug, collaborator emails, GitHub repo ID, Firebase token scope) without verifying ownership. Affected 170+ apps at disclosure time and — per Cyber Kendra's April 2026 report — re-broke after the initial patch.
- Lovable (vibe-coding platform) — pre-patch projects, and April 2026 re-break variant
What an attacker does
An attacker enumerated Lovable project IDs and queried the documented project endpoint. Before the patch, the endpoint returned full project metadata including collaborator email addresses and Firebase tokens that could be reused to access other project fields. The April 2026 re-break reintroduced a subset of this exposure.
How to detect
Use the free Lovable exposure checker at /tools. It queries the documented endpoints read-only and reports whether ownership is enforced for your project ID.
How to fix
Contact Lovable support to confirm your project is covered by the latest patch. Rotate collaborator sessions and any Firebase tokens. Audit GitHub repo access for collaborators you did not intend.
Securie flags Lovable exports that contain exposed Firebase tokens and scopes them against the intent graph of your routes.