Most enterprise security programs are built to protect servers, endpoints, and cloud accounts. None of them were built for product manager vibes to spend a weekend coding in Lovable, connecting to a live Supabase database, and finding customer intake forms deployed to public URLs indexed by Google. This gap now has a price tag attached to it.
A new study from Israeli cybersecurity firm RedAccess quantifies the scale. The company discovered 380,000 publicly accessible assets, including applications, databases, and related infrastructure built with Lovable, Base44, and Replit’s Vibe coding tools and deployment platform Netlify. Approximately 5,000 of these assets, or approximately 1.3%, contained confidential company information. CEO Dor Zvi said his team discovered the exposure while researching shadow AI for customers. Axios independently verified multiple published apps, and Wired independently confirmed the results.
Among the exposures identified was a shipping company’s app detailing which ships were expected to arrive at which ports. Unedited customer service conversations for a UK cabinet supplier were all published on the open web in a medical company’s internal application that listed ongoing clinical trials across the UK. The Brazilian bank’s internal financial information was accessible to anyone who found the URL.
The leaked data also included patient conversations at a children’s long-term care facility, hospital doctor and patient profiles, incident response records at a security company, and ad buying strategies. Depending on the jurisdiction and the data involved, medical and financial exposures can trigger regulatory obligations under HIPAA, GDPR in the UK, or LGPD in Brazil.
RedAccess discovered phishing sites built on Lovable that posed as Bank of America, FedEx, Trader Joe’s, and McDonald’s. Loveable said it has begun investigating and removing the phishing site.
default is the problem
Privacy settings on some vibe coding platforms allow the app to be publicly accessible unless the user manually switches it to private. Many of these applications are indexed by Google and other search engines. Anyone can come across them. Tzvi said this clearly. “I don’t think it’s possible to educate the whole world about security, and my mother does. [vibe coding] No offense, but I don’t think she would think about role-based access. ”
This is not an isolated discovery
In October 2025, Escape.tech scanned 5,600 publicly available vibe-coded applications and discovered over 2,000 high-impact vulnerabilities, over 400 exposed secrets including API keys and access tokens, and 175 cases of personal data exposure including medical records and bank account numbers. All vulnerabilities discovered by Escape were in live production systems and could be discovered within hours. The full report describes the methodology. Escape separately raised $18 million in Series A led by Balderton in March 2026, citing the security gap created by AI-generated code as its core market thesis.
Gartner’s Predicts 2026 report predicts that by 2028, the instant approach to apps adopted by citizen developers will result in a 2,500% increase in software defects. Gartner has identified a new type of flaw in which AI generates code that is syntactically correct but unaware of the broader system architecture and nuanced business rules. The cost of remediating these deep-context bugs will consume the budget previously allocated to innovation.
Shadow AI is a multiplier
IBM’s 2025 Cost of Data Breach Report found that 20% of organizations have experienced a breach related to shadow AI. These incidents increased the average cost of a breach by $670,000, pushing the average shadow AI breach to $4.63 million. Of the organizations that reported AI-related breaches, 97% did not have adequate access controls in place. Additionally, 63% of compromised organizations did not have AI governance policies in place.
Shadow AI breaches expose customers’ personally identifiable information 65% of the time, compared to 53% of all breaches overall, and impact data distributed across multiple environments 62% of the time. Only 34% of organizations with AI governance policies conducted regular audits of unapproved AI tools. VentureBeat’s Shadow AI study estimates that actively used shadow apps could more than double by mid-2026. According to data from Cyberhaven, 73.8% of ChatGPT work accounts in corporate environments were found to be fraudulent.
what to do first
The audit framework below provides CISOs with a starting point for triaging risks for vibe-coded apps across five domains.
|
domain |
Current state (most organizations) |
target state |
first action |
|
discovery |
Vibration coded apps cannot be visualized |
Vibe Coding Platform Automatic Scanning of Domains |
Perform DNS + certificate transparency scans on Lovable, Replit, Base44, and Netlify subdomains associated with corporate assets. |
|
certification |
Platform default (public by default) |
SSO/SAML integration required before deployment |
Block access to internal data sources by unauthenticated apps |
|
code scan |
Zero coverage for citizen-created apps |
SAST/DAST required before production |
Extend your existing AppSec pipeline to cover vibe-coded deployments |
|
Prevent data loss |
Vibe coding domains are not subject to DLP |
DLP policies covering Lovable, Replit, Base44, and Netlify |
Add the Vibe Coding Platform domain to an existing DLP rule |
|
governance |
No AI usage policy or shadow AI detection |
AI governance policy, including regular audits of unauthorized tools |
Publish an AI coding tool authorization policy with a pre-deployment review gate |
CISOs who treat this as a policy issue will write a memo. CISOs who treat this as an architecture issue will deploy discovery scans across the four largest vibe coding domains, require pre-deployment security reviews, extend existing AppSec pipelines to citizen-built apps, and add these domains to DLP rules by the next board meeting. Among them, CISOs avoid the following headlines:
The vibecoding revelations documented by RedAccess are not a separate issue from shadow AI. Shadow AI production layer. Employees build internal tools on platforms that are public by default, skip authentication, and do not appear in asset inventory. This means the application is invisible to security teams until a breach surfaces or is first discovered by a reporter. Traditional asset discovery tools are designed to search for servers, containers, and cloud instances. They have no way of finding the marketing configurator that a product manager spent a weekend building on Lovable, connecting it to the Supabase database that holds live records of customers, and sharing it with three outside contractors through a public URL that Google indexed within hours.
The detection challenge is deeper than most security teams realize. Apps coded with Vibe are deployed to platform subdomains that are rotated frequently and placed behind a CDN layer that masks the origin infrastructure. Organizations running a mature and secure web gateway, CASB, or DNS logging can detect employee access to these domains. However, discovering access is not the same as inventorying what is deployed, what data is held, or whether authentication is required. Without explicit monitoring of the leading Vibe coding platform, the app itself generates limited signals in traditional SIEM or endpoint telemetry. They exist in the gap between network visibility and application inventory that most security stacks are not designed to cover.
Platform reaction speaks volumes
Replit CEO Amjad Maead said RedAccess gave his company only 24 hours to go to the press. Both Base44 (via Wix) and Lovable said RedAccess did not include the URLs or technical details needed to verify the findings. None of the platforms denied the existence of published applications.
Wiz Research separately discovered in July 2025 that Base44 contained a platform-wide authentication bypass. A public API endpoint now allows anyone to create an authenticated account in a private app using only the public app_id. This flaw meant that showing up to a locked building and shouting out the room number was enough to open the door. Although Wix fixed the vulnerability within 24 hours of Wiz reporting it, the incident exposed how thin the authentication layer is on a platform where millions of apps are built by users who assume the platform takes care of security.
This pattern is consistent across the vibe coding ecosystem. CVE-2025-48757 documents insufficient or missing row-level security policies in Supabase projects generated by Lovable. Certain queries skipped access checks entirely, exposing data across over 170 production applications. AI generated the database layer. No security policies were generated that should restrict who can read the data. Lovable disputes the CVE classification and says individual customers accept responsibility for protecting application data. This debate itself represents a core tension. Platforms that market to non-technical builders shift the responsibility of security onto users who don’t even know they exist.
What this means for security teams
RedAccess’ findings completely illuminate the picture. Professional agents face credential theft in one layer. Meanwhile, citizen platforms are facing data breaches. The same goes for structural defects. Security reviews may occur post-deployment or may not occur at all. Identity and access management systems track human users and service accounts. They are not tracking the Lovable app, which a sales operations analyst deployed last Tuesday, connected to a live CRM database, and shared it with three outside contractors via a public URL.
No one asks if your database policy restricts who can read your data, or if your API endpoint requires authentication. When these questions are left unasked at the speed of AI generation, exposure grows faster than a human review process can match. The question for security leaders is not whether a vibe-coded app is within the perimeter. The question is: how much data is retained and who can see it? RedAccess’ findings suggest that for most organizations, the answer is worse than anyone in the C-suite currently knows. Organizations that start scanning this week will find them. Those who are waiting then read about themselves.
