A research study analyzing publicly accessible applications built through vibe-coding platforms — AI-assisted development environments where users describe what they want in plain language and the AI generates a deployable web application — has found that more than 380,000 such applications are publicly accessible on the internet, approximately 5,000 of them expose sensitive corporate or personal data, and security researchers identified more than 2,000 vulnerabilities and 400+ exposed secrets across a sample of 5,600 analyzed apps. The study, conducted by RedAccess, documents a category of risk that current enterprise security tools — endpoint agents, Data Loss Prevention (DLP), and Cloud Access Security Brokers (CASB) — are structurally unable to detect.
// 01 Vibe Coding Security Risks: Technical Details
"Vibe coding" is the informal term for AI-assisted application development where a user provides natural language descriptions ("make me an inventory tracking app" or "build a customer CRM with email reminders") and an AI platform — including Replit, Bolt.new, Lovable.dev, v0.dev, and similar services — generates and deploys a functional web application, often within minutes.
The capability is genuinely powerful: non-technical users can build and deploy working web software without writing a single line of code. But the vibe-coding platforms optimize for deployment speed, not security. The applications they generate share a consistent set of security failures:
Default open access: Many vibe-coded applications are deployed with no authentication controls at all — anyone who reaches the URL is granted access, often including admin functionality. This is not a misconfiguration by the user; it is the default state of applications generated without explicit security requirements.
Hardcoded secrets: The AI models generating these applications frequently embed API keys, database credentials, and service tokens directly into the application code or environment configuration files, which are then deployed and potentially accessible publicly.
Overprivileged data access: Applications that are given access to corporate data sources (Google Drive, Notion, Salesforce, HR systems) to enable their intended function frequently provide that access without scoping — any user who reaches the application can access all data in the connected source, not just data relevant to their role.
No input validation: Vibe-coded applications rarely implement server-side input validation, making them vulnerable to injection attacks (SQL injection, XSS — Cross-Site Scripting — and similar classes of vulnerability).
RedAccess identified 5,000 applications specifically leaking sensitive data, with exposed content including:
- Medical records — patient information, treatment histories, and clinical notes
- Financial data — IBAN bank account numbers, transaction records, and payroll information
- Business intelligence — internal documents, strategic plans, and customer databases
- Personal identifiable information (PII) — email addresses, phone numbers, and identity documents
The 2,000+ vulnerabilities found across the 5,600 analyzed applications included classic web application security failures — injection flaws, broken access control, sensitive data exposure — that were introduced by AI-generated code that was never security-reviewed.
// 02 Why Security Tools Cannot See This Risk
The research's most concerning finding is not the scale of exposure — it is the structural invisibility of vibe-coded applications to current enterprise security controls:
Endpoint Detection and Response (EDR) monitors processes, file system access, and network connections on managed devices. A user building and deploying a vibe-coded app through a browser generates telemetry that is indistinguishable from ordinary, non-malicious browser activity — the same behavioral signature as someone reading news or using a SaaS application.
Data Loss Prevention (DLP) monitors data movement through managed channels: email, file downloads, USB transfers, and cloud sync clients. A vibe-coded application that connects programmatically to a corporate data source via API — exporting customer records to a public-facing web application — moves data cloud-to-cloud, bypassing the endpoint entirely. DLP has no visibility into this data path.
Cloud Access Security Broker (CASB) mediates access to approved cloud services and detects policy violations. But a vibe-coded application is hosted on a platform's subdomain (e.g., my-app.replit.app) and appears to CASB as just another request to the Replit platform — a legitimate, approved SaaS tool. CASB cannot distinguish a benign Replit session from a vibe-coded application pulling corporate data into a publicly accessible endpoint.
// 03 Who Is Affected
Enterprise organizations whose employees have adopted vibe-coding tools for shadow IT are at greatest risk. The research identifies 380,000+ publicly accessible vibe-coded applications — a meaningful fraction of which connect to enterprise data sources through employee OAuth authorizations.
Healthcare organizations are particularly exposed: the presence of medical records among the documented leaked data types represents direct HIPAA (Health Insurance Portability and Accountability Act — U.S. federal law requiring protection of medical information) compliance violations, independent of any other security concern.
Financial services firms face similar regulatory exposure through leaked IBAN numbers, transaction records, and client financial data, triggering obligations under PCI-DSS (Payment Card Industry Data Security Standard) and relevant financial privacy regulations.
Individual employees who built vibe-coded applications connecting to their personal or work data may have inadvertently exposed colleagues' or clients' information without realizing the applications were publicly accessible.
// 04 What You Should Do Right Now
- Inventory vibe-coding platform usage in your organization. Query your SSO/IdP (Identity Provider) for OAuth authorizations granted to Replit, Bolt.new, Lovable.dev, v0.dev, and similar platforms. Each authorization represents a potential vibe-coded application connecting to corporate data.
- Audit and revoke unnecessary OAuth scopes. Revoke authorizations for vibe-coding platforms that have not been explicitly approved. For approved uses, restrict OAuth scopes to the minimum data access required.
- Update acceptable use policies to address AI-assisted application development. Most policies were written before vibe-coding platforms existed and do not cover the specific risk of deploying AI-generated applications that connect to corporate data sources.
- For IT teams: configure your CASB to flag OAuth authorizations to vibe-coding platforms for review rather than silently passing them. This won't catch everything, but creates a review gate for new authorizations.
- For developers building vibe-coded apps: treat any application connecting to real data as a production security concern. Add authentication before deploying publicly, review generated code for hardcoded secrets, and use a secrets manager rather than embedding credentials in code:
# Check for hardcoded secrets in generated app code:
git-secrets --scan --recursive .
# Or use Gitleaks:
gitleaks detect --source . --report-format json
- Run a RedAccess-style inventory search — query your corporate domain on vibe-coding platform indexes, search engines, and services like Shodan for any publicly accessible applications you didn't know existed.
// 05 Background: Understanding the Risk
Vibe coding represents the latest chapter in the decades-long tension between IT governance and shadow IT — the use of technology outside approved channels. Earlier generations of shadow IT included personal Dropbox accounts syncing corporate files, unsanctioned SaaS subscriptions expensed as general IT, and personal smartphones with corporate email before EMM (Enterprise Mobile Management) policies caught up.
What distinguishes vibe-coded shadow IT from its predecessors is the capability gap: a non-technical employee using vibe coding can accidentally build and deploy an application with the functional complexity of a custom-developed enterprise tool — connecting to multiple corporate data sources, processing sensitive records, and exposing results to the internet — in under an hour, with no IT awareness, no security review, and no deployment governance.
The 380,000 publicly accessible applications documented by RedAccess are not the result of malicious intent. They reflect a fundamental mismatch between the accessibility of AI-assisted development tools and the security awareness of the non-technical users who adopt them. The developer who builds a vibe-coded customer feedback tracker and deploys it publicly for their team to use has not intended to expose customer data to the internet — they simply haven't been given the context to understand that an unauthenticated deployment with access to the production CRM is a data breach waiting to be found.
// 06 Conclusion
The vibe-coded application security crisis represents a structural enterprise risk that existing security tools — EDR, DLP, and CASB — are fundamentally unable to detect due to their cloud-native, API-driven, browser-session-routed data access patterns. With 380,000+ publicly accessible vibe-coded apps, 5,000 confirmed data leaks, and 2,000+ documented vulnerabilities across a sample, organizations must act now: inventory OAuth authorizations to vibe-coding platforms, update acceptable use policies, and implement CASB controls to flag new AI development platform authorizations before sensitive corporate data ends up in an unauthenticated public application.
For any query contact us at contact@cipherssecurity.com