5,000 vibe-coded apps just proved shadow AI is the new S3 bucket crisis

In a world where technology is rapidly evolving, new challenges are emerging for enterprise security programs. The rise of vibe coding, a trend where developers quickly build applications using low-code or no-code tools, has created a new set of vulnerabilities that traditional security measures are not equipped to handle.

Israeli cybersecurity firm RedAccess recently conducted research that uncovered a startling reality – there are 380,000 publicly accessible assets, including applications, databases, and related infrastructure, built with vibe coding tools from platforms like Lovable, Base44, Replit, and Netlify. Shockingly, about 1.3% of these assets contained sensitive corporate information, exposing companies to potential data breaches and regulatory violations.

Among the exposed data were details about shipping company operations, internal health company applications listing active clinical trials, unredacted customer service conversations, and internal financial information for a Brazilian bank. The implications of such exposures are severe, potentially triggering regulatory obligations under laws like HIPAA, UK GDPR, and Brazil’s LGPD.

Furthermore, RedAccess discovered phishing sites impersonating well-known companies like Bank of America, FedEx, Trader Joe’s, and McDonald’s, built on the same vibe coding platforms. This raises concerns about the potential for financial fraud and identity theft stemming from these malicious sites.

The root of the problem lies in the default privacy settings of many vibe coding platforms, which make apps publicly accessible unless users manually change them to private. This oversight, combined with the indexing of these applications by search engines like Google, poses a significant risk to data security.

This issue is not isolated to RedAccess’ findings. In a separate study, Escape.tech scanned over 5,600 publicly available vibe-coded applications and found over 2,000 high-impact vulnerabilities, exposed secrets, and instances of personal data exposure. The security gap created by AI-generated code has led to significant vulnerabilities that can be exploited by malicious actors.

Gartner’s “Predicts 2026” report forecasts a sharp increase in software defects due to citizen developers adopting prompt-to-app approaches. The report warns that AI-generated code may lack awareness of system architecture and business rules, leading to costly remediation efforts.

IBM’s Cost of a Data Breach Report revealed that 20% of organizations experienced breaches linked to shadow AI, resulting in an average breach cost of $4.63 million. The lack of proper access controls and governance policies for AI applications has exacerbated the problem, leading to a disproportionate exposure of customer personally identifiable information.

To address these challenges, CISOs are advised to implement an audit framework that assesses vibe-coded app risk across five domains: discovery, authentication, code scanning, data loss prevention, and governance. By proactively scanning vibe coding platform domains, requiring pre-deployment security reviews, and implementing AI governance policies, organizations can mitigate the risks associated with shadow AI and vibe coding.

In conclusion, the exposure of vibe-coded applications highlights the urgent need for organizations to rethink their approach to security in the era of rapid technological innovation. By taking proactive steps to address vulnerabilities in low-code and no-code applications, companies can better protect sensitive data and prevent costly data breaches. The rise of vibe coding platforms has brought about a new challenge for security teams. Without explicit monitoring of these platforms, the apps created on them generate a limited signal in conventional security information and event management (SIEM) or endpoint telemetry. This gap between network visibility and application inventory poses a significant security risk that most security stacks were not designed to address.

Recent incidents involving vibe coding platforms have shed light on the vulnerabilities that exist within these platforms. RedAccess, a security research team, gave companies like Replit, Base44, and Lovable only 24 hours to address security issues before going public with their findings. While these platforms did not deny the existence of exposed applications, they cited a lack of specific technical details provided by RedAccess.

In a separate discovery by Wiz Research, Base44 was found to have a platform-wide authentication bypass issue in July 2025. This flaw allowed anyone to create a verified account on private apps using publicly available information, essentially bypassing the authentication process. Wix, the parent company of Base44, quickly addressed the vulnerability, but the incident highlighted the weak authentication layers present in platforms where users rely on the platform for security.

Similar vulnerabilities were found in Lovable-generated Supabase projects, where insufficient or missing Row-Level Security policies exposed data across multiple production applications. The AI-generated database layer failed to implement the necessary security policies, leaving sensitive data vulnerable. Lovable disputed the classification of the vulnerability, shifting the responsibility to individual customers for protecting their data.

For security teams, these incidents emphasize the importance of monitoring and reviewing applications created on vibe coding platforms. Identity and access management systems may track human users and service accounts, but they may not account for the numerous apps created by non-technical users. Without proper oversight, the exposure of sensitive data can escalate rapidly, surpassing the capabilities of human review processes.

The implications for security leaders are clear. The prevalence of vibe-coded apps within organizations may be higher than anticipated, with potentially sensitive data being exposed to unauthorized parties. Proactive scanning and monitoring of these platforms are essential to mitigate security risks before they become public knowledge. Organizations that take action now will be better equipped to protect their data and prevent future security incidents.