Vibe-Coding Apps Leak Sensitive Data: What It Means for Business Software
18 May 2026
Israeli security firm RedAccess this week disclosed that roughly 380,000 applications built on AI vibe-coding platforms like Lovable, Base44, Replit, and Netlify are publicly accessible on the open web. About 5,000 of them are actively leaking sensitive corporate and personal data, including medical records, financial information, and internal strategy documents. Around 40% of the surveyed apps exposed material that should have been private.
[Source: Axios]
Why This Matters
Shadow AI development is now a measurable security incident. Non-technical staff are shipping production-adjacent apps without security reviews. Default privacy settings on several platforms left projects publicly indexable by Google, which turned a configuration oversight into an open data feed.
The data exposed is not hypothetical. Researchers found an internal application for a healthcare company detailing active UK clinical trials, and internal financial information for a Brazilian bank. These are the kinds of artefacts that trigger regulatory action under GDPR and sector-specific rules.
The blast radius extends to enterprises that did not authorise the tools. Employees using a free vibe-coding platform to "prototype" workflows can pull in production data, credentials, or customer records. Once exposed, the company carries the legal and reputational risk, not the platform vendor.
Our Take
Vibe coding is genuinely useful for prototypes and internal demos. The problem is not the category. It is the assumption that a tool good enough to produce a working app is also good enough to produce a safe one. Production software requires authentication models, access controls, secrets management, and dependency auditing. Most vibe-coding platforms expose none of those concerns to the user by default.
For European businesses, three actions are worth taking this quarter. First, inventory which AI app builders are in use across your teams and what data they touch. Second, set a clear policy that anything handling customer, financial, or health data requires a formal development path with security review. Third, treat vibe-coded apps as throwaway prototypes that must be rebuilt properly before they handle real workflows.
If your team is moving fast on AI-driven internal tools and you want to keep that speed without inheriting these risks, our custom software solutions practice helps businesses turn promising prototypes into secure, audit-ready systems without slowing the work down.
