5,000 vibe-coded apps just proved shadow AI is the new S3 bucket crisis
Source: VentureBeat
Most enterprise security programs were built to protect servers, endpoints, and cloud accounts. None of them was built to find a customer‑intake form that a product‑manager vibe‑coded on Lovable over a weekend, connected to a live Supabase database, and deployed on a public URL indexed by Google. That gap now has a price tag.
New research from Israeli cybersecurity firm RedAccess quantifies the scale. The firm discovered 380,000 publicly accessible assets—including applications, databases, and related infrastructure—built with vibe‑coding tools from Lovable, Base44, Replit, and the deployment platform Netlify. Roughly 5,000 of those assets (≈1.3 %) contained sensitive corporate information. CEO Dor Zvi said his team found the exposure while researching shadow AI for customers. Axios independently verified multiple exposed apps, and Wired confirmed the findings separately.
Verified exposures
- Shipping company app – detailed which vessels were expected at which ports.
- Internal health‑company application – listed active clinical trials across the U.K.
- British cabinet‑supplier – full, unredacted customer‑service conversations sat on the open web.
- Brazilian bank – internal financial information accessible to anyone who found the URL.
Other exposed data included:
- Patient conversations at a children’s long‑term‑care facility.
- Hospital doctor‑patient summaries.
- Incident‑response records at a security company.
- Ad‑purchasing strategies.
Depending on jurisdiction and the data involved, the healthcare and financial exposures may trigger regulatory obligations under HIPAA, UK GDPR, or Brazil’s LGPD.
RedAccess also found phishing sites built on Lovable that impersonated Bank of America, FedEx, Trader Joe’s, and McDonald’s. Lovable said it had begun investigating and removing the phishing sites.
The defaults are the problem
Privacy settings on several vibe‑coding platforms make apps publicly accessible unless users manually switch them to private. Many of these applications get indexed by Google and other search engines, so anyone can stumble across them.
“I don’t think it’s feasible to educate the whole world around security. My mother is [vibe‑coding] with Lovable, and no offense, but I don’t think she will think about role‑based access.” – Dor Zvi
This is not an isolated finding
-
October 2025 – Escape.tech scanned 5,600 publicly available vibe‑coded applications and found:
-
2,000 high‑impact vulnerabilities
-
400 exposed secrets (API keys, access tokens)
- 175 instances of personal‑data exposure (medical records, bank account numbers)
Every vulnerability Escape found was in a live production system, discoverable within hours. The full report documents the methodology.
-
-
March 2026 – Escape raised an $18 M Series A (led by Balderton), citing the security gap opened by AI‑generated code as a core market thesis.
-
Gartner “Predicts 2026” forecasts that by 2028, prompt‑to‑app approaches adopted by citizen developers will increase software defects by 2,500 %. Gartner identifies a new class of defect where AI generates syntactically correct code that lacks awareness of broader system architecture and nuanced business rules. Remediation costs for these deep contextual bugs will consume budgets previously allocated to innovation.
Shadow AI is the multiplier
-
IBM 2025 Cost of a Data Breach Report:
- 20 % of organizations experienced breaches linked to shadow AI.
- Those incidents added $670 k to the average breach cost, pushing the shadow‑AI breach average to $4.63 M.
- 97 % of AI‑related breaches lacked proper access controls.
- 63 % of breached organizations had no AI governance policy.
-
Shadow AI breaches disproportionately exposed customer PII (65 % vs. 53 % across all breaches) and affected data distributed across multiple environments 62 % of the time.
-
Only 34 % of organizations with AI governance policies performed regular audits for unsanctioned AI tools.
-
VentureBeat estimated that actively used shadow apps could more than double by mid‑2026.
-
Cyberhaven data found 73.8 % of ChatGPT workplace accounts in enterprise environments were unauthorized.
What to do first
The audit framework below gives CISOs a starting point for triaging vibe‑coded app risk across five domains.
| Domain | Current State (Most Orgs) | Target State | First Action |
|---|---|---|---|
| Discovery | No visibility into vibe‑coded apps | Automated scanning of vibe‑coding platform domains | Run DNS + certificate‑transparency scan for Lovable, Replit, Base44, Netlify subdomains tied to corporate assets |
| Authentication | Platform defaults (public by default) | SSO/SAML integration required before deployment | Block unauthenticated apps from accessing internal data sources |
| Code scanning | Zero coverage for citizen‑built apps | Mandatory SAST/DAST before production | Extend the existing AppSec pipeline to cover vibe‑coded deployments |
| Data loss prevention | No DLP coverage for vibe‑coding domains | DLP policies covering Lovable, Replit, Base44, Netlify | Add vibe‑coding platform domains to existing DLP rules |
| Governance | No AI usage policy or shadow‑AI detection | AI governance policy with regular audits for unsanctioned tools | Publish an acceptable‑use policy for AI coding tools with a pre‑deployment review gate |
The CISO who treats this as a policy problem will write a memo.
The CISO who treats this as an architecture problem will:
- Deploy discovery scanning across the four largest vibe‑coding domains.
- Require pre‑deployment security review.
- Extend the existing AppSec pipeline to citizen‑built apps.
- Add those domains to DLP rules before the next board meeting.
One of those CISOs avoids the next headline.
Bottom line
The vibe‑coding exposure RedAccess documented is not a separate problem from shadow AI—it is shadow AI’s production layer. Addressing it requires both policy and architecture actions, starting with visibility, authentication, code‑security testing, data‑loss prevention, and governance.
The Hidden Risk of “Vibe‑Coded” Apps
Problem statement
Many internal tools are built on platforms that default to public access, skip authentication, and never appear on any asset inventory. Consequently, these applications stay invisible to security teams until a breach surfaces or a reporter discovers them first.
Traditional asset‑discovery tools were designed to find servers, containers, and cloud instances. They have no way to locate a marketing configurator that a product manager built on Lovable over a weekend, connected to a Supabase database holding live customer records, and shared with three external contractors through a public URL that Google indexed within hours.
Why Detection Is Hard
- Dynamic subdomains – Vibe‑coded apps deploy on platform subdomains that rotate frequently and often sit behind CDN layers that mask the origin infrastructure.
- Limited telemetry – Even mature web‑gateway, CASB, or DNS‑logging solutions can detect employee access to these domains, but detecting access is not the same as inventorying what was deployed, what data it holds, or whether it requires authentication.
- Signal gap – Without explicit monitoring of the major vibe‑coding platforms, the apps generate only a limited signal in conventional SIEM or endpoint telemetry. They exist in a gap between network visibility and application inventory that most security stacks were never architected to cover.
Platform Responses
“The platform responses tell the story.”
- Replit – CEO Amjad Masad said RedAccess gave his company only 24 hours before going to the press.
- Base44 (via Wix) and Lovable – Both said RedAccess did not include the URLs or technical specifics needed to verify the findings. Neither platform denied that the exposed applications existed.
Notable Vulnerabilities
| Platform | Vulnerability | Date Discovered | Impact |
|---|---|---|---|
| Base44 | Platform‑wide authentication bypass (Wiz Research) | July 2025 | Anyone could create a verified account on private apps using only a publicly visible app_id. |
| Lovable | CVE‑2025‑48757 – Insufficient or missing Row‑Level Security (RLS) policies in Supabase projects | 2025 | Queries skipped access checks entirely, exposing data across > 170 production applications. |
- Wix fixed the Base44 bypass within 24 hours after Wiz reported it, but the incident exposed how thin the authentication layer is on platforms where millions of apps are built by users who assume the platform handles security for them.
- Lovable disputes the CVE classification, stating that individual customers accept responsibility for protecting their application data. This dispute itself illustrates the core tension: platforms that market to non‑technical builders are shifting security responsibility to users who do not know it exists.
What This Means for Security Teams
- Dual‑layer exposure – Professional agents face credential theft on one layer; citizen platforms face data exposure on the other.
- Post‑deployment review – Security review happens after deployment—or not at all.
- IAM blind spots – Identity and Access Management systems track human users and service accounts, but they do not track a Lovable app a sales‑operations analyst deployed last Tuesday, connected to a live CRM database, and shared with three external contractors via a public URL.
- Unasked questions – Nobody asks whether the database policies restrict who can read the data or whether the API endpoints require authentication. When those questions go unasked at AI‑generation speed, exposure scales faster than any human review process can match.
The Core Question for Leaders
Is the problem whether vibe‑coded apps are inside the perimeter, or how many exist, what data they hold, and who can see them?
The RedAccess findings suggest that, for most organizations, the answer is worse than anyone in the C‑suite currently knows.
- Act now: Organizations that start scanning this week will find the hidden apps.
- Delay: Those that wait will read about themselves next.