- Lovable raised $330 million at a $6.6 billion valuation in December 2025, tripling from $1.8 billion in five months, with revenue reaching $300 million ARR by January 2026.
- A security audit of 1,645 Lovable-created apps found 170 exposed sensitive user data including names, emails, financial records, and API keys due to misconfigured Supabase databases.
- The platform excels at generating prototypes from natural language prompts but lacks the backend security patterns needed for production applications.
- CEO Anton Osika acknowledged: “We’re not yet where we want to be in terms of security.”
What Happened
Lovable, the Stockholm-based vibe-coding startup, raised $330 million in a Series B led by CapitalG and Menlo Ventures at a $6.6 billion valuation in December 2025. The round also included Khosla Ventures, Salesforce Ventures, and Databricks Ventures. The valuation tripled from $1.8 billion in just five months.
The growth metrics are exceptional. Lovable hit $100 million ARR in July 2025, $200 million in November, $300 million in January 2026, and added $100 million in a single month in February 2026 with only 146 employees. Over 100,000 new projects are built daily on the platform. By every growth metric, Lovable is the fastest-scaling AI startup in history.
Why It Matters
The growth obscures a structural security problem that has been documented since March 2025. Matt Palmer, an employee at competitor Replit, reviewed 1,645 Lovable-created web apps and found that 170 allowed unauthorized access to sensitive user information. In 47 minutes, a software engineer found personal debt amounts, home addresses, API keys, and private user prompts across multiple Lovable-built websites.
The gap between Lovable’s valuation and its security posture represents the central tension in vibe coding: tools that make building fast do not necessarily make building safe. As security expert Alex Stamos noted about Supabase configuration: “You can do it correctly. The odds of doing it correctly are extremely low.” The vulnerability was first identified on March 20, 2025, when Palmer found exposed data in a Lovable app called Linkable. He notified CEO Anton Osika via X the following day, and Lovable initially denied any issue.
Technical Details
Lovable turns natural language prompts into full-stack React applications with Tailwind CSS, connecting to Supabase for backend services and deploying to live URLs. The security failures are concentrated at the Supabase integration layer. Lovable generates frontend-only access checks but does not implement Row Level Security (RLS), leaving databases exposed to anyone who inspects network requests.
Additional issues include predictable sequential API IDs that enable enumeration attacks, where users can access other users’ data by incrementing ID numbers in requests. Deadlocking from async authentication calls that Lovable generates but does not properly handle is another recurring failure pattern. Schema changes made during iteration silently break existing queries without warning. Lovable built a security scanner in response, but it only checks whether Supabase controls are enabled, not whether they are correctly configured, leaving a gap between the appearance of security and its reality.
Who’s Affected
Customers include Klarna, Uber, and Zendesk. Non-technical founders who raise funding on Lovable prototypes face an unquoted rebuild cost: the backend must be rewritten from scratch before handling real user data. The 170 exposed apps contained names, email addresses, financial information, and API keys that would allow attackers to run up charges billed to Lovable’s customers.
CEO Anton Osika acknowledged the problem on X: “We’re not yet where we want to be in terms of security and we’re committed to keep improving the security posture for all Lovable users.” The company’s 146-person team, while extraordinarily efficient at revenue generation, has not yet scaled its security engineering to match the volume of applications being deployed on the platform daily.
What’s Next
Lovable is actively pursuing acquisitions as of March 2026, which may include security-focused tooling. The broader vibe coding category faces the same challenge: AI models that generate code cannot yet evaluate how that code will be used in production contexts. Inexperienced users may not know the right security questions to ask.
Whether Lovable can close the gap between prototype generation and production-ready security before a major data breach forces the issue remains the unanswered question. The vulnerability was published in the National Vulnerabilities Database in May 2025, and the underlying architecture has not fundamentally changed since.
