Navigation:   Dark C0d3rs Exploit Log Research Papers/Vulnerability reports HackerOne Disclosed Reports - 2025-11-04

HackerOne Disclosed Reports - 2025-11-04

0 Replies, 113 Views

 hashXploiter

   11-05-2025, 12:30 PM
Administrator
#1
Logo
Low
resolved

Improper Authorization Leads to Editor can toggle admin-only workspace features (Lovable AI)


Bug reported by Adham Samir was disclosed at November 4, 2025, 10:54 pm   |   Improper Authorization

The API endpoint /workspaces//tool-preferences/ai_gateway/enable did not enforce proper authorization checks. As a result, an account with the Editor role was able to disable the workspace-wide admin-only Lovable AI feature, which powers key AI functionalities across the workspace.


Logo
Low
resolved

Improper Authorization Leads to Editor can toggle admin-only workspace features (Lovable Cloud)


Bug reported by Adham Samir was disclosed at November 4, 2025, 8:32 pm   |   Improper Authorization

A vulnerability was discovered where an account with the Editor role could call an API endpoint that disabled workspace-wide admin-only features. This was due to a lack of server-side role checks, allowing a vertical privilege escalation.


[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]



Users browsing this thread: 1 Guest(s)