HackerOne Disclosed Reports - 2025-11-04

HackerOne Disclosed Reports - 2025-11-04 - Printable Version

+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2025-11-04 (/Thread-HackerOne-Disclosed-Reports-2025-11-04)

HackerOne disclosed reports - 2025-11-04 - hashXploiter - 11-05-2025

Low
resolved

Improper Authorization Leads to Editor can toggle admin-only workspace features (Lovable AI)

Bug reported by Adham Samir was disclosed at November 4, 2025, 10:54 pm | Improper Authorization

The API endpoint /workspaces//tool-preferences/ai_gateway/enable did not enforce proper authorization checks. As a result, an account with the Editor role was able to disable the workspace-wide admin-only Lovable AI feature, which powers key AI functionalities across the workspace.

Low
resolved

Improper Authorization Leads to Editor can toggle admin-only workspace features (Lovable Cloud)

Bug reported by Adham Samir was disclosed at November 4, 2025, 8:32 pm | Improper Authorization

A vulnerability was discovered where an account with the Editor role could call an API endpoint that disabled workspace-wide admin-only features. This was due to a lack of server-side role checks, allowing a vertical privilege escalation.