New research highlights potential data vulnerabilities in applications built with Vibe coding tools, VentureBeat reports, citing data from cybersecurity firm RedAccess. A recent study of 380,000 publicly accessible vibe-coding assets found that 5,000 vibe-coded apps exposed corporate and personal information. Accessible sensitive data included financial records and patient conversations, raising regulatory concerns. The findings highlight the weaknesses associated with shadow artificial intelligence, as many organizations lack adequate access controls and strict governance policies.
Your sensitive corporate and private information is being exposed on the open web at an alarming and ever-increasing rate.
As companies push employees to use AI tools like Lovable to create applications in the name of increased productivity, many of the novice coders practicing vibe coding are not versed in cybersecurity.
And what happens to sensitive information when your amateur vibe coding app isn’t checked by someone who knows how to code?
Internal financial information from a Brazilian bank is exposed.
Full, unredacted customer service conversations for a cabinet supplier in the U.K. can be seen by anyone.
An app for a hospital reveals conversations between doctors and patients, including patient complaints.
The app you created to plan your vacation to Belgium, including hotel and dinner reservation details, is easily found by searching the web.
A cybersecurity firm found over 380,000 publicly accessible assets built with tools from Lovable, Base44, and Replit, with about 5,000 of them including sensitive corporate data.
This included personally identifiable information.
And there are certainly a lot more out there.
Many of the applications are being built without corporate knowledge, making the problem of data leaks even harder to control.
Privacy settings on some of the more popular vibe coding tools are automatically set to make apps publicly accessible unless users manually change them to private.
Well-meaning and driven employees are inadvertently exposing corporate secrets.
Putting robust security in place and controlling access to data becomes even more important as users without any cybersecurity training or exposure to security protocols write code in their spare time.
AI-assisted code ships with 23.7% more security vulnerabilities.
Not "might." Does. The data is in.
The silent tax of AI velocity is showing up in every security review I've sat in this year. Suggested code that imports a deprecated library. Auth flows that look right and aren't. SQL that compiles, runs, and leaks.
The model didn't lie to you. It just doesn't know what your threat model is.
Here's the uncomfortable truth most leadership decks skip: shipping faster with AI without scaling your security and review practices in lockstep is a balance sheet problem disguised as a velocity win. You're borrowing from future-you at compound interest.
What I'm telling every eng leader I talk to:
1. Treat AI-generated code like junior dev code. Reviewed, not assumed.
2. Invest in SAST, DAST and threat modeling at the same rate you invested in Copilot seats.
3. Make your security engineers part of the AI rollout team, not the cleanup crew.
Velocity is not a strategy. Velocity in the right direction is.
Is AI making you a 10x developer, or just a 10x faster disaster?
We’ve all been there: You ship a feature in 15 minutes that should have taken 2 hours. The LLM wrote the queries, the agent filled the functions, the tests passed, and the "vibes" are great.
But there is a growing trap in software engineering right now. It’s being called "Vibe Coding"—the practice of building applications through a conversational loop of prompts and "green checkmarks" without a deep understanding of the underlying implementation.
+1
While the productivity boost feels real, the data from 2025 and 2026 suggests the speed is often an illusion masking long-term risk:
The Scalability Wall: Recent technical reviews found that over 90% of AI-built apps lack proper database indexing. They work perfectly for 10 test users but collapse under the weight of real production traffic.
The Security Spike: Analysis of 100+ LLMs shows that roughly 45% of AI-generated code contains security vulnerabilities (like Cross-Site Scripting or exposed API keys). By mid-2025, Fortune 50 companies saw a 10x spike in security findings directly tied to AI-accelerated workflows.
+1
The "Almost Right" Debugging Trap: Recent developer surveys indicate that 67% of engineers now spend significantly more time debugging "almost right" AI code than they would have spent writing it from scratch.
Skill Atrophy: If you prompt before you think, your architectural "muscles" wither. If you write code at the limit of your understanding, you physically cannot debug it when it breaks at 3 AM.
The Senior Engineering Strategy for 2026:
The best developers aren't those who refuse AI, nor those who let it drive. They use it strategically:
Boilerplate & Config: Use it for the repetitive 60% you already understand.
Exploration: Use it to compare three different architectural approaches.
Mental Models First: Never use AI for the core logic, security paths, or distributed system coordination that you haven't first mapped out yourself.
The Bottom Line: AI is a powerful amplifier, but it is a terrible crutch. Speed is useless if it leads to a system that no one on the team truly understands.
Don't be a "Vibe Coder." Be an architect who uses AI to build faster, not think less.
380,000 AI-built apps on the open web. Half with no authentication. Some with your company's data in them.
Security researchers scanned apps built with Lovable, Replit, Base44, and Netlify. Around 5,000 contained sensitive corporate data: financial records, clinical trial details, patient conversations, internal strategy docs. Indexed by Google. Accessible to anyone with the right URL.
The platforms defaulted to public. Most users never changed it.
Replit's CEO called it "expected behavior." Which is technically true and completely misses the point.
AI coding tools do exactly what you ask. If you don't ask for authentication, you don't get it. The model isn't making a mistake; it's succeeding at your prompt while your data walks out the door.
RedAccess CEO Dor Zvi: "I don't think it's feasible to educate the whole world around security. My mother is vibe coding with Lovable, and I don't think she'll think about role-based access."
That's the gap. "Anyone can build" also means anyone who doesn't know what they don't know can accidentally expose clinical records.
If people in your org are shipping internal tools via these platforms without your IT team knowing, this is what that looks like in practice.