Thousands of Vibe-Coded Apps Expose Corporate and Personal Data on the Open Web: Understanding the vibe-coded app data exposure

By /
Illustration of vibe-coded app data exposure showing a Supabase anon_key leak in a Lovable-built app

Thousands of Vibe-Coded Apps Expose Corporate and Personal Data on the Open Web: Understanding the vibe-coded app data exposure

By Agustin Giovagnoli / May 7, 2026

Researchers from RedAccess say thousands of AI-generated web apps created on platforms such as Lovable, Replit, Base44, and Netlify are exposing sensitive corporate and personal data on the public internet. They describe a widespread vibe-coded app data exposure that was often discoverable with simple Google or Bing queries limited to platform domains and targeted business keywords [1]. The findings matter because many of these tools connect directly to production data without a security review, creating fast-growing attack surfaces [1].

The RedAccess findings: how researchers discovered mass exposures

RedAccess used basic search-engine dorking on host domains combined with business-specific keywords to locate exposed apps. Many returned pages or endpoints that assumed privacy but were publicly accessible. The team identified apps leaking emails, phone numbers, addresses, debt balances, payment and subscription data, and live API keys for services including Stripe, Google Maps, Gemini, and eBay [1]. RedAccess calls this one of the largest inadvertent corporate data exposures on the public web [1].

Technical case study: Lovable + Supabase and the RLS failure

A detailed example involved Lovable apps that queried Supabase directly from the browser using a public anon_key. In many cases, Row Level Security was missing or misconfigured, allowing unauthenticated queries to dump entire tables. In a scan of 1,645 Lovable apps, 170 had 303 vulnerable endpoints, suggesting that roughly 10 percent of the sample exposed at least one data-leaking endpoint. The pattern is tracked as CVE-2025-48757 and affects user-built apps rather than Lovable’s core platform [1]. For context on hardening such architectures, see Supabase’s RLS documentation (external).

Inside the vibe-coded app data exposure

The exposures fit broader low-code app data leaks. Common missteps include public APIs or endpoints without authentication, overly broad database access, unencrypted sensitive records, and missing monitoring. Leaked third-party API keys raise additional risks because they can enable downstream misuse beyond the original app’s scope [1]. Separate reporting around a Lovable incident underscores the sensitivity of data that can surface when governance is weak [2]. Platform comparison resources reflect continuing scrutiny of hosted builder security, especially when users deploy production data to public environments without proper controls [3].

Broader patterns: citizen development and AI builder misconfigurations

OWASP’s guidance for citizen development warns about authorization misuse, overprivileged and long-lived connectors, and AI-generated code that omits essential controls. These factors can lead to mass exposure of personal and business data when apps are rapidly published with minimal review [6]. Industry guidance stresses centralized oversight, least-privilege access, and mandatory checks before apps touch sensitive data or go live [4]. While builders highlight strong baseline security and ease of publishing for small businesses, governance and app-level design still determine real risk [5].

Business impact: regulatory, financial, and reputational risks

When personal and payment-related data is exposed, organizations face compliance obligations, customer notification duties, and potential fines. Live keys to payment or mapping services can enable fraud or quota abuse that extends beyond the affected app. RedAccess also showed that many leaks were easy to find with simple queries, expanding the pool of potential adversaries who could harvest this data at scale [1].

Detection checklist: how to find vibe-coded exposures in your org

  • Search-engine dorking: query hosting domains such as popular app builders plus company names, internal terms, or data-field keywords [1].
  • Inventory builders: catalogue no-code and AI-generated apps tied to your domains and vendors [1][4].
  • Endpoint review: test unauthenticated GET/POST calls, especially to Supabase or similar backends, and verify Row Level Security policies [1].
  • Key hygiene: scan frontends and repos for embedded API keys and tokens that should be server-side [1][6].
  • Monitoring: enable logging and anomaly detection for public endpoints that read or write sensitive data [4][6].

Immediate mitigations and remediation playbook

  • Revoke and rotate leaked third-party API keys, then scope replacements to least privilege [1][6].
  • Enforce RLS and access controls on data stores; move sensitive operations to authenticated server-side endpoints to remediate the public Supabase anon_key exposure pattern [1][6].
  • Add authentication to any endpoint returning PII or financial data and disable unauthenticated table queries [1][6].
  • Remove production data from test builds and temporary apps; use masked or synthetic data [4][6].
  • Document incidents, notify stakeholders, and track cleanup actions in a central register aligned to governance best practices for AI-built web apps [4][6].

Governance and prevention: policies, tooling, and culture

Centralized governance for low-code and citizen development, mandatory security reviews, RLS-by-default, and least-privilege connectors reduce risk at scale. Integrate security scanning and approvals before public deployment, and train citizen developers on data classification and authorization basics [4][6]. Vendor-facing content emphasizes platform simplicity and speed, which reinforces the need for disciplined guardrails when business users build apps that touch real data [5].

Tools & resources

  • OWASP’s citizen development risks and controls can guide policy and reviews [6].
  • Security checklists and governance playbooks help standardize reviews for low-code releases [4].
  • For practical templates and playbooks, Explore AI tools and playbooks.

Sources

[1] Thousands of Vibe-Coded Apps Expose Corporate and Personal Data on the Open Web | WIRED
https://www.wired.com/story/thousands-of-vibe-coded-apps-expose-corporate-and-personal-data-on-the-open-web/

[2] Lovable Data Breach April 2026: What Was Exposed & How to …
https://bastion.tech/blog/lovable-april-2026-data-breach/

[3] Lovable vs Replit Security: Which Is More Secure?
https://vibeappscanner.com/lovable-vs-replit-security

[4] Secure Low‑Code Governance & DevSecOps Best Practices
https://infosprint.com/blog/low-code-app-security-a-complete-guide-to-protecting-ai-built-apps/

[5] No-Code vs AI App Builder: Which Is Best for Small Businesses?
https://www.knack.com/blog/ai-app-builder-no-code/

[6] [PDF] OWASP’s Top 10 Risks for Citizen Development
https://owasp.org/www-project-citizen-development-top10-security-risks/assets/images/OWASP’s%20Top%2010%20Risks%20for%20Citizen%20Development%20(2).pdf

Scroll to Top