Improper Access Control - Generic (CWE-284)CVSS 4

Users can change project visibility which requires high subscription by just changing request body

hackerone-reports

March 9, 2026

25 views

Save

€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3370430 by hossam25

Summary:

A Broken Access Control vulnerability allows users to change project visibility — a feature restricted to higher subscription tiers — by simply modifying the request body of visibility to Personal or Workspace. This bypasses subscription checks, enabling unauthorized access to premium functionality

Steps To Reproduce:

On the burp, enable intercept
On Lovabl, write anything to build a project
Click create and go to burp to endpoint https://lovable-api.com/workspaces/{YOUR-WORKSPACE-ID}/projects
On the body of the request change the visibility to Personal or Workspace which requires paid subscription

{"description":"landing view","visibility":"Personal","initial_message":{"id":"umsg_01k6qkw83ze07t9f7m9p3jabs9","message":"landing view","files":[],"optimisticImageUrls":[],"chat_only":false,"agent_mode_enabled":false,"ai_message_id":"aimsg_01k6qkw841e07t9f7ytpghd6bs"}}

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Sign In Register

Related Writeups

pyus3r

Improper Access Control on www.target.example through /services/formcampaign via header "option" leads to unauthenticated read/write on the production marketing-campaign database

An unauthenticated AEM Sling servlet exposes four CRUD operations (getData / getDataById / setData / updateData) on the internal marketing-campaign database via a single option request header. The only access control is a Referer string check that any HTTP client trivially bypasses. Anonymous attackers can read the full 79-campaign dataset (including internal segmentation logic and the names of internal prospect databases), create arbitrary new campaigns in the production backoffice, and overwrite existing real production campaigns.

Read Writeup →

hackerone-reports

POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as a USER OPERATION (private endpoint)

HackerOne disclosed report --> https://hackerone.com/reports/3676308 by glferreira-devsecops

Read Writeup →

gpk21

LogicalBreach Academy