"Vibe coding tools are leaking vast amounts of personal and corporate data." Recently, researchers at Israeli cybersecurity startup RedAccess, while studying the "shadow AI" trend, discovered that AI tools used by developers to rapidly build software have exposed medical records, financial data, and internal documents from Fortune 500 companies onto the open web.
Dor Zvi, CEO of RedAccess, said researchers found approximately 380,000 publicly accessible applications and other assets created by developers using tools such as Lovable, Base44, Netlify, and Replit, with around 5,000 containing sensitive corporate information; however, nearly 2,000 of these applications appeared to expose private data upon further inspection. Axios independently verified multiple exposed applications, and WIRED also confirmed these findings separately.
40% of AI-coded applications expose sensitive data,
Even administrative privileges are available.
As AI increasingly takes over the work of modern programmers, cybersecurity experts have long warned that automated coding tools will inevitably introduce a large number of exploitable vulnerabilities into software. However, when these vibe coding tools enable anyone to create and host applications on the web with just a single click, the issue extends beyond vulnerabilities—it’s nearly complete absence of security safeguards, including for highly sensitive corporate and personal data.
According to available information, the RedAccess team analyzed thousands of vibe coding web applications created using AI software development tools such as Lovable, Replit, Base44, and Netlify, and found that over 5,000 of them had virtually no security measures or authentication. Many of these web applications can be accessed directly by anyone who obtains their URL, along with their data. Others have minimal barriers, such as requiring only registration with any email address to gain access.
Among these 5,000 AI coding applications accessible to anyone simply by entering a URL in their browser, Zvi found that nearly 2,000, upon further inspection, appeared to expose private data. Zvi stated that approximately 40% of these applications leaked sensitive information, including medical records, financial data, corporate presentations and strategic documents, as well as detailed logs of user conversations with chatbots.
The screenshots of web applications he shared—some of which have been verified as still online and exposed—reveal sensitive information such as a hospital’s staff assignment details (including personal identities of doctors), detailed advertising procurement data from a company, a market entry strategy presentation from another company, complete chat logs from a retailer’s chatbot (containing customers’ full names and contact information), shipping records from a logistics company, and various sales and financial data from multiple corporations. Zvi also stated that, in some cases, these exposed applications could have granted him administrative privileges to the systems, even allowing him to delete other administrators.
Zvi said that finding vulnerable web applications with RedAccess was surprisingly easy. Lovable, Replit, Base44, and Netlify all allow users to host web applications on the AI companies’ own domains rather than the users’ own domains. As a result, researchers could simply use basic searches on Google and Bing, combining these companies’ domains with additional keywords, to identify thousands of applications developed using these tools for vibe coding.
In the case of Lovable, Zvi also discovered a large number of phishing websites impersonating major corporations, which appeared to have been created and hosted on Lovable domains using this AI coding tool, including brands such as Bank of America, Costco, FedEx, Trader Joe’s, and McDonald’s. Zvi also noted that the 5,000 exposed applications found by Red Access were hosted solely on the AI coding tool’s own domain, but there could be thousands more hosted on user-purchased domains.
Security researcher Joel Margolis noted that it is not easy to verify whether real data is truly exposed in an unprotected AI-coded web application. He and his colleagues previously discovered an AI chat toy that exposed 50,000 conversations with children on a website with almost no security measures. He suggested that data in vibe coding applications might merely be placeholders or that the application itself could be a proof of concept (POC). Wix’s Brodie also believes that the two examples provided to Base44 appear to be test sites or contain AI-generated data.
Nevertheless, Margolis believes that the issue of data exposure caused by AI-built web applications is very real. He says he frequently encounters the types of exposures Zvi described. “Someone on the marketing team wants to build a website—they’re not engineers and likely have little to no security background or knowledge,” he notes. AI coding tools will do exactly what you ask them to do, but if you don’t ask them to do it securely, they won’t do it on their own.
People can create freely
But the default settings are有问题
Less than two weeks before RedAccess’s research was released, another incident occurred: Cursor, running the Claude Opus 4.6 model, deleted PocketOS’s entire production database and all volume-level backups in just nine seconds via a single API call to its infrastructure provider, Railway.
Zvi bluntly stated, “People can create something and immediately use it in production on behalf of a company, without needing any approval—it’s almost without boundaries. I don’t think we can expect the entire world to undergo security education.” He added that his mother also uses Lovable for vibe coding, “but I don’t think she’d consider role-based access control.”
RedAccess researchers found that the privacy settings on multiple vibe coding platforms default to making the apps public unless users manually change them to private. Many of these apps are also indexed by search engines like Google, making them potentially accessible to anyone online.
Zvi believes that today’s AI web application development tools are generating a new wave of data exposure, rooted in the same combination of user error and inadequate security measures. However, a more fundamental issue than any specific security flaw is that these tools enable an entirely new group of people within organizations to create applications—often without security awareness and by bypassing existing enterprise software development processes and pre-deployment security reviews.
“Anyone in the company could generate an application at any time, completely bypassing any development process or security checks, and deploy it directly into production without consulting anyone—and that’s exactly what they did,” said Zvi. “The result is that companies are inadvertently leaking sensitive data through these vibe coding applications, one of the largest such incidents ever, exposing corporate or other sensitive information to anyone in the world.”
In October last year, Escape.tech scanned 5,600 publicly available vibe coding applications and found that over 2,000 contained critical vulnerabilities, more than 400 exposed sensitive information (including API keys and access tokens), and 175 cases involving personal data breaches (including medical records and bank account details). All vulnerabilities identified by Escape were present in live production systems and could be discovered within hours. In March this year, the company completed an $18 million Series A round led by Balderton, one of the core investment theses being the security gaps introduced by AI-generated code.
Gartner’s “Predicts 2026” report states that by 2028, the adoption of prompt-to-app approaches by citizen developers will increase software defects by 2,500%. Gartner believes a key new characteristic of these defects is that AI-generated code is syntactically correct but lacks understanding of overall system architecture and complex business rules. The cost of fixing these “deep context errors” will erode budgets originally allocated for innovation.
Responses and rebuttals from various platforms
Currently, three AI coding companies have disputed RedAccess researchers' claims, stating that the information provided was insufficient and that they were not given adequate time to respond. However, Zvi said they proactively reached out to the suspected owners of dozens of exposed web applications. Executives from each company emphasized that they take such reports seriously, while noting that public accessibility of these applications does not necessarily indicate a data breach or security vulnerability. Nevertheless, none of the companies denied that the web applications identified by RedAccess were indeed publicly exposed.
Replit’s CEO, Amjad Masad, stated that RedAccess gave them only 24 hours to respond before disclosing the issue. In his response on X, he wrote, “Based on the limited information they shared, RedAccess’s core allegation appears to be that some users published applications meant to be private onto the open internet. Replit allows users to choose whether their applications are public or private. Public applications are accessible on the internet by design. Privacy settings can also be changed with a single click at any time. If RedAccess shares a list of affected usernames, we will proactively set those applications to private by default and notify users directly.”
A spokesperson for Lovable responded in a statement: “Lovable takes reports of data exposure and phishing sites very seriously, and we are actively gathering the necessary information to conduct an investigation. This matter is still under active review. It should also be noted that while Lovable provides tools to help developers build secure applications, the ultimate responsibility for how those applications are configured lies with the creators themselves.”
In the previously disclosed CVE-2025-48757, it was documented that Lovable-generated Supabase projects suffered from insufficient or missing row-level security (RLS) policies. Some queries entirely bypassed access control checks, exposing data from over 170 production applications. While the AI generated the database layer, it failed to generate the necessary security policies to restrict data access. Lovable has disputed the CVE classification, stating that protecting application data is the customer’s responsibility.
Blake Brodie, Head of Public Relations at Wix, Base44’s parent company, stated in a statement: “Base44 provides users with powerful tools to configure the security of their applications, including access control and visibility settings.” She added, “Disabling these controls is an intentional and straightforward action that any user can perform. If an application is publicly accessible, it reflects the user’s configuration choice, not a platform vulnerability.”
Brodie also noted, “It is very easy to fabricate applications that appear to contain real user data. Without any verified examples provided to us, we cannot assess the validity of these claims.” In response, RedAccess countered that they did provide relevant examples to Base44. RedAccess also shared several anonymized communication records showing Base44 users thanking researchers for alerting them to exposure issues in their applications, after which those applications were secured or taken down.
It was reported that Wiz Research independently discovered in July last year a platform-level authentication bypass vulnerability in Base44. The exposed API allowed anyone to create “verified accounts” within private apps using only a publicly visible app_id. This vulnerability was equivalent to standing outside a locked building and, simply by calling out a room number, causing the door to open automatically. Wix patched the vulnerability within 24 hours of being notified by Wiz, but the incident revealed a critical issue: on these platforms, millions of applications are created by users who often assume the platform has already handled security for them—yet the underlying authentication mechanisms are surprisingly weak.
Reference link:
https://www.wired.com/story/thousands-of-vibe-coded-apps-expose-corporate-and-personal-data-on-the-open-web/
https://www.axios.com/2026/05/07/loveable-replit-vibe-coding-privacy
https://venturebeat.com/security/vibe-coded-apps-shadow-ai-s3-bucket-crisis-ciso-audit-framework
This article is from the WeChat public account "AI Frontline" (ID: ai-front), authored by Hua Wei.