In today’s digital landscape, enterprise security programs are facing a new challenge – the rise of shadow AI and the proliferation of vibe-coded applications. These applications, built on platforms like Lovable, Base44, Replit, and Netlify, are often deployed with default settings that make them publicly accessible unless manually configured otherwise. This has led to a significant number of publicly accessible assets containing sensitive corporate information, as highlighted in a recent study by Israeli cybersecurity firm RedAccess.
According to RedAccess, there are approximately 380,000 publicly accessible assets, with about 5,000 of them containing sensitive corporate data. These exposed assets range from shipping company applications detailing vessel schedules to internal health company apps listing clinical trials and even full customer service conversations for a cabinet supplier. The implications of such exposures are vast, potentially triggering regulatory obligations under HIPAA, UK GDPR, or Brazil’s LGPD depending on the data involved.
Furthermore, phishing sites impersonating well-known brands like Bank of America, FedEx, and McDonald’s have been found on vibe coding platforms, adding another layer of risk to the situation. The defaults set by these platforms, combined with the lack of awareness around security best practices among citizen developers, have created a perfect storm for data breaches and cyberattacks.
This is not an isolated issue, as previous research by Escape.tech has also found vulnerabilities in vibe-coded applications, including exposed secrets and personal data. The “Predicts 2026” report by Gartner predicts a significant increase in software defects due to AI-generated code lacking awareness of system architecture and business rules. This poses a significant challenge for organizations looking to balance innovation with security.
The concept of shadow AI, where unauthorized AI tools are used within organizations, has further complicated the security landscape. IBM’s Cost of a Data Breach Report found that 20% of organizations experienced breaches linked to shadow AI, with significant financial implications. The lack of proper access controls and governance policies has only exacerbated the problem, making it crucial for organizations to take proactive measures to address these risks.
In response to these challenges, CISOs are advised to implement a comprehensive audit framework to triage vibe-coded app risk across five domains: discovery, authentication, code scanning, data loss prevention, and governance. By taking a proactive approach to security, organizations can mitigate the risks associated with vibe-coded applications and shadow AI, ensuring that sensitive data remains protected.
Ultimately, the exposure of vibe-coded applications is not just a security issue – it is a symptom of a larger problem with shadow AI and the lack of awareness around security best practices. By addressing these issues head-on and implementing robust security measures, organizations can safeguard themselves against data breaches and cyber threats in an increasingly digital world. The lack of explicit monitoring on major vibe coding platforms leads to a limited signal in conventional SIEM or endpoint telemetry, creating a gap in network visibility and application inventory coverage within security stacks.
Platform responses are telling. Replit CEO Amjad Masad mentioned that RedAccess only provided them with a 24-hour notice before going public. Base44 (via Wix) and Lovable stated that RedAccess did not supply the necessary URLs or technical details to verify the findings. Despite this, none of the platforms denied the existence of exposed applications.
In a separate discovery by Wiz Research in July 2025, Base44 was found to have a platform-wide authentication bypass. This flaw allowed anyone to create a verified account on private apps using just a publicly visible app_id. The vulnerability was swiftly fixed by Wix within 24 hours, highlighting the thin authentication layer on platforms where users rely on security measures provided by the platform.
A similar pattern is observed across the vibe coding ecosystem. CVE-2025-48757 revealed insufficient or missing Row-Level Security policies in Lovable-generated Supabase projects, leading to data exposure across over 170 production applications. Lovable argued against the CVE classification, emphasizing that individual customers are responsible for safeguarding their application data. This dispute underscores the shifting of security responsibility to users who may not be aware of it.
These findings have significant implications for security teams. While professional agents face credential theft, citizen platforms encounter data exposure due to a lack of security review before or after deployment. Identity and access management systems typically focus on human users and service accounts, overlooking potential vulnerabilities in vibe-coded apps created by non-technical users.
The speed at which AI-generated apps are developed surpasses traditional human review processes, leading to rapid scalability of security risks. Security leaders must address the prevalence of vibe-coded apps within their organization, assessing the data they hold and who has access to it. Organizations that prioritize scanning for vulnerabilities will be better equipped to mitigate risks, while those that delay may find themselves vulnerable to cyber threats.
In conclusion, the integration of vibe coding platforms in organizations necessitates a proactive approach to security measures. By staying vigilant and conducting regular scans for vulnerabilities, businesses can safeguard their data and mitigate potential risks effectively.