Shadow AI and the Rise of Vibe-Coded Apps

Vibe-coded apps expose sensitive data, marking a systemic gap in security protocols. This pattern highlights shadow AI’s role as a risk amplifier in enterprise settings.

The alarming rise of shadow AI has been marked by the unexpected vulnerabilities exposed in vibe-coded applications. These applications, often created by nontechnical users on platforms such as Lovable and Base44, have opened a new front in the cybersecurity landscape that security programs were ill-prepared to defend against.

Israeli cybersecurity firm RedAccess has quantified this exposure, revealing 380,000 publicly accessible assets built with vibe coding tools. Of these, approximately 1.3% contained sensitive corporate information, exemplifying a significant security risk.

Systemic Vulnerability through Vibe Coding

Platforms like Lovable and Replit allow fast application development, bypassing traditional IT oversight. This results in applications being public by default unless manually secured. Google’s indexing of these applications compounds the vulnerability, making them accessible to anyone.

This gap in security awareness is emblematic of a broader issue: users lack the operational security knowledge to implement necessary access controls. A Lovable user is unlikely to consider the complexities of role-based access control while developing an app over a weekend. This oversight is where shadow AI becomes particularly pernicious.

The Shadow AI Multiplier Effect

The shadow AI phenomenon amplifies typical data security issues. Vibe-coded apps often combine AI-generated code with rapid deployment, sidestepping formal security practices. IBM’s 2025 report highlighted that breaches linked to shadow AI can add significantly to the cost of data breaches, averaging $4.63 million.

The risk of exposure is heightened by the lack of governance; 97% of organizations with AI-related breaches reported lacking proper access controls. Without governance and regular audits for unsanctioned AI tools, these breaches will likely escalate.

Addressing the Exposure

For Chief Information Security Officers (CISOs), responding to this challenge necessitates strategic interventions. This includes automated scanning of platform subdomains and enforcing SSO/SAML integration before deployment. Furthermore, expanding AppSec pipelines to include these applications could mitigate risks.

Pattern detected: unregulated platforms facilitate data exposure at scale.

CISOs who view this as an architectural issue rather than a policy problem are best positioned to address these vulnerabilities effectively.

Platform Responses and the Path to Security

The reactions from platforms like Replit and Base44 illustrate the ecosystem’s inconsistencies in handling security risks. While they recognize the existence of these vulnerabilities, a structural change in how security is integrated into the development life cycle is needed to prevent future exposures.

Authentication flaws, such as those discovered in Base44, highlight the inadequacy of current security practices in platforms where the assumption is that security is handled by the platform itself.

Future Implications for Security Teams

The RedAccess findings underscore the importance of proactive security measures. Traditional asset management tools fail to capture the dynamic nature of vibe-coded apps. This necessitates an evolved approach where security solutions are integrated directly with platform usage, ensuring comprehensive coverage of all deployed applications.

The systemic failure to control and audit these applications leads to vulnerabilities that could have industry-wide repercussions. Organizations that prioritize scanning and auditing these new digital assets will avoid the pitfalls of shadow AI.

The road ahead requires security teams to adopt a more integrated security strategy, one that encompasses shadow AI’s nuances and anticipates the next generation of technology-driven risks. Monitoring continues.