Dark C0d3rs

Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2025-11-04
Full Version: HackerOne Disclosed Reports - 2025-11-04
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

hashXploiter

11-05-2025, 12:30 PM
Logo
Low
resolved

Improper Authorization Leads to Editor can toggle admin-only workspace features (Lovable AI)


Bug reported by Adham Samir was disclosed at November 4, 2025, 10:54 pm   |   Improper Authorization

The API endpoint /workspaces//tool-preferences/ai_gateway/enable did not enforce proper authorization checks. As a result, an account with the Editor role was able to disable the workspace-wide admin-only Lovable AI feature, which powers key AI functionalities across the workspace.


Logo
Low
resolved

Improper Authorization Leads to Editor can toggle admin-only workspace features (Lovable Cloud)


Bug reported by Adham Samir was disclosed at November 4, 2025, 8:32 pm   |   Improper Authorization

A vulnerability was discovered where an account with the Editor role could call an API endpoint that disabled workspace-wide admin-only features. This was due to a lack of server-side role checks, allowing a vertical privilege escalation.


Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2025-11-04