Lovable VDP: Improper Authorization Leads to Editor can toggle admin-only workspace features (Lovable Cloud)

A vulnerability was discovered where an account with the Editor role could call an API endpoint that disabled workspace-wide admin-only features. This was due to a lack of server-side role checks, allowing a vertical privilege escalation...