Researchers Scanned 380,000 Vibe-Coded Apps. 5,000 Were Leaking Medical Records, Bank Data, and Corporate Documents to the Open Web.

Israeli cybersecurity firm RedAccess scanned 380,000 publicly accessible web applications built with AI coding tools and found approximately 5,000 with virtually no security or authentication. Around 40% of those unprotected apps contained sensitive data, including medical records, financial information, corporate strategy documents, and full chatbot conversation logs.

Axios independently verified multiple exposed apps: a shipping company application detailing which vessels were expected at which ports, an internal healthcare company app listing active clinical trials across the UK, unredacted customer service conversations for a British cabinet supplier, and internal financial information from a Brazilian bank. Wired confirmed the findings separately. The exposures were not theoretical. They were live on the open web, indexed by Google, accessible to anyone with a browser.

RedAccess CEO Dor Zvi told VentureBeat the team discovered the exposure while researching shadow AI for enterprise customers. “There is no limit to how easily people can make something like this and use it in a production environment without company permission,” Zvi said. The apps were built on platforms including Lovable, Replit, Base44, and deployed through services like Netlify, all of which allow users to host applications on the platform’s own domain rather than requiring a custom domain. That made discovery trivially easy: standard Google and Bing searches for platform domains surfaced thousands of results.

What vibe coding is and why it bypasses security

Vibe coding is the practice of describing an application in natural language and having an AI tool build it. The user does not need to know how to code. They describe what they want, the AI generates the application, and the platform deploys it to a public URL. The entire process can take minutes.

The platforms powering this workflow, including Lovable, Replit, Base44, and others, have been designed to minimise friction. Some default to making apps public unless the user manually changes the privacy setting. Many users do not change it because they do not realise the app is publicly accessible. The result is that internal tools, prototypes, and data dashboards built by employees for internal use end up on the open web with no authentication layer.

The CyberCX Hack Report, which SAW covered on 18 May, confirmed the pattern from the offensive security side. When asked whether organisations are “vibe-coding to production,” CyberCX answered yes, noting they had “conducted architecture reviews and penetration tests for a significant number of systems that were built primarily by AI. Often this is by organisations that have done no internal development prior.”

The vulnerability classes RedAccess documented are not sophisticated. Martin Cid Magazine’s analysis noted that many apps shipped with Supabase or Firebase API keys embedded directly in the client bundle, granting anyone who viewed the page source read access to the database. Some allowed write access. Others exposed admin endpoints. The category of flaw is not a zero-day or a misconfiguration. It is the complete absence of a security layer.

Why this is different from traditional shadow AI

SAW has covered shadow AI as a tool problem: employees using unapproved AI services, entering confidential data into public models, installing browser extensions with excessive permissions. The vibe-coding exposure is a step beyond that. Employees are not just using AI tools. They are using AI tools to build and deploy entire applications that process, store, and expose organisational data on public infrastructure.

The Vercel/Context.ai breach SAW covered in April followed a related pattern: a consumer AI tool with broad OAuth permissions became the entry point for a supply-chain compromise. The vibe-coding exposure is the same dynamic at scale: hundreds of employees across hundreds of organisations building applications that inherit no security controls from the organisation’s existing stack.

VentureBeat’s analysis framed the comparison directly: vibe-coded app exposure resembles the early days of misconfigured S3 buckets, when organisations were unknowingly leaving cloud storage open to the internet. The difference is that S3 bucket misconfigurations were typically created by developers who at least understood what a bucket was. Vibe-coded app exposures are created by employees who may not understand that their app is publicly accessible, that their data is stored in a third-party database, or that their API keys are visible in the page source.

The scale of AI-generated code

The exposure data sits within a broader trend. Daily.dev reports that 92% of US developers now use AI tools daily, with an estimated 41% of global code being AI-generated in 2026. A 2025 Escape.tech scan of 5,600 vibe-coded applications found more than 2,000 high-impact vulnerabilities, 400 exposed secrets (API keys and tokens), and 175 cases of personal data exposure.

CyberCX’s Hack Report found that application security findings jumped from 14.4% of all pen test findings in 2023 to 21.1% in 2025, with insecure design driving almost 60% of severe web application vulnerabilities. The vibe-coding data explains part of that trend: organisations that have never built software before are now shipping applications with no security review, no threat modelling, and no awareness that the application is publicly accessible.

What CISOs and IT teams should do

Scan for vibe-coded apps on your domains and your employees’ accounts. The RedAccess methodology was straightforward: Google and Bing searches for platform domains (lovable.app, replit.app, base44.app, netlify.app) combined with organisation-specific terms. Any CISO can replicate this search in an afternoon. The question is whether the results will be empty.

Add vibe-coding platforms to DLP and browser management rules. If the organisation’s DLP rules block employees from uploading files to unapproved cloud storage, the same rules should cover vibe-coding platforms. Employees building applications on Lovable or Replit are uploading organisational data to third-party infrastructure in exactly the same way they would by uploading files to an unsanctioned cloud drive.

Require authentication for any internally-used application. The RedAccess finding was not that vibe-coded apps had weak security. It was that 5,000 had no security at all. Any application that processes organisational data, regardless of how it was built, should require authentication. SSO integration is the minimum. If a vibe-coded app cannot support SSO, it should not be connected to organisational data.

Define a threshold for when AI-generated apps must enter the engineering pipeline. Not every vibe-coded prototype needs a full SDLC review. But any application that processes personal data, connects to production databases, or is used by more than one person should be subject to the same security review as any other application. The threshold should be defined in the AI acceptable-use policy and enforced through the change management process.

Extend the AI asset inventory to include AI-built applications. The CISO shadow AI runbook covers discovery of AI tools employees use. It needs to cover AI tools employees use to build other tools. The inventory question is no longer “which AI services are our employees using?” It is also “what have our employees built with AI, and where is it running?”

Vendor disclosure

RedAccess is a cybersecurity startup selling shadow AI discovery tools. The research supports its commercial positioning. SAW has used the data because Axios and Wired independently verified multiple exposed applications, and the methodology (domain-based search across four major vibe-coding platforms) is replicable by any security team. Replit CEO Amjad Masad responded that public apps being accessible on the internet is normal behaviour. A Wix spokesperson (Wix owns Base44) said RedAccess did not disclose the specific URLs needed to verify the findings. Readers should consider both the vendor interest and the independent verification when evaluating the data.

Sources

• Axios (Sam Sabin), “Thousands of AI-built apps exposed sensitive corporate and personal data,” 7 May 2026 (380,000 apps scanned, 5,000 exposed, independently verified examples, Zvi quotes, platform responses). axios.com
• VentureBeat, “Vibe-coded apps: shadow AI’s S3 bucket crisis and a CISO audit framework,” 7 May 2026 (RedAccess methodology, Escape.tech 5,600-app scan, CISO framework, Cyberhaven 73.8% unauthorised ChatGPT accounts). venturebeat.com
• Futurism, “Vibe Coded Apps Are Spilling Users’ Personal Information,” 10 May 2026 (Wired confirmation, 40% sensitive data exposure, medical and financial data). futurism.com
• Security Boulevard, “Thousands of Vibe-Coded Apps Exposing Corporate, Personal Data: RedAccess,” 8 May 2026 (default public settings, Masad response, Wix/Base44 response). securityboulevard.com
• Martin Cid Magazine, “A scan of 380,000 vibe-coded apps found thousands with no authentication at all,” 9 May 2026 (Supabase/Firebase key exposure, write access, admin endpoint exposure). martincid.com
• daily.dev, “Vibe Coding 2026: AI Changing How Developers Write Code,” 25 March 2026 (92% US developers use AI daily, 41% of global code AI-generated). daily.dev