What Is Vibe Coding—and Why Security Keeps Getting Ignored
Vibe coding is reshaping software development, yet vibe coding security remains an afterthought for most creators. Coined by Andrej Karpathy, the term describes a workflow where developers—or complete beginners—describe what they want in plain English, let an AI no-code platform generate the code, and ship the result in minutes rather than weeks. No architectural planning. No security review. Just vibes.
The appeal is undeniable. Platforms like Lovable, Base44, Replit, and Netlify have demolished the barrier to entry for building web apps. You describe a feature, the AI writes the React components, configures the database, and even deploys to a live URL. For prototyping, internal tools, and side projects, this is revolutionary.
But here is the uncomfortable truth: when you remove the engineering gatekeepers, you also remove the security guardrails. A recent WIRED investigation published on May 7, 2026, revealed a vibe coding security crisis in which thousands of these AI-built applications are hemorrhaging sensitive data onto the open web. Corporate secrets, personally identifiable information (PII), and hardcoded API keys are sitting in publicly accessible repositories and live deployments, often because the person who “vibe-coded” the app never realized there was a settings panel for authentication.
Security has always been the tax on speed. When vibe coding security is skipped, the whole bill comes due at once.
The Wired Investigation: How Thousands of Apps Leaked Sensitive Data
Wired’s reporting is not theoretical when it comes to vibe coding security. Researchers from the Israeli cybersecurity firm RedAccess scanned the public web and found approximately 380,000 publicly accessible assets built with vibe-coding platforms like Lovable, Base44, Replit, and Netlify. Within that haystack, roughly 5,000 applications contained sensitive corporate data exposed without any authentication barrier.
Think about that for a second. Five thousand live applications—many of them built in the last year—are serving enterprise data to anyone with a browser and the right search query.
The investigation aligns with independent findings from the 2026 Frontend Secrets Report, which scanned 1,514 AI-built apps and discovered that 41% of them shipped at least one leaked secret key. Not one in ten. Nearly half. The median affected app leaked multiple keys across different services, compounding the blast radius—an alarming sign for vibe coding security overall.
What makes this different from traditional data leaks is the velocity. These apps were not legacy systems that accumulated technical debt over a decade. They were generated, deployed, and abandoned in days. The attack surface is not just large; it is accelerating.
Platforms in the Crosshairs: Lovable, Base44, Replit, and Netlify
Not all platforms are equally culpable, but none are entirely innocent. Each has a distinct vibe coding security risk profile worth understanding.
Lovable, the $6.6 billion darling of the vibe-coding movement, has already suffered multiple public security incidents in 2026 alone. A Broken Object Level Authorization (BOLA) flaw allowed any free user to access other users’ source code, database credentials, and AI chat histories by simply changing a project ID in a URL. When researchers disclosed the issue, Lovable initially dismissed it as “intentional behavior” before backtracking. That is not the response you want from infrastructure you trust with production data.
Base44 and Replit occupy a similar niche: they lower the floor for who can build software, but they do not always raise the ceiling for security defaults. Replit in particular has become a popular launching pad for student and hobbyist projects that rarely graduate past the “public” visibility setting. A Repl deployed as a web server is often public by default, meaning anyone can view the source code, fork it, and hunt for embedded secrets. For a classroom exercise, that is fine. For a prototype handling customer data, it is a liability.
Netlify, while more established as a hosting layer, compounds the problem because it makes deployment frictionless. Branch previews and deploy previews spin up automatically for every pull request, often with the same environment variables as production. A misconfigured .env or a public Supabase URL copied into client-side JavaScript is live globally within seconds of the first git push. Developers celebrate the instant preview URL; attackers celebrate the instant attack surface.
The common thread is not malice; it is default settings optimized for sharing, not for secrecy. Every one of these platforms is designed to make your work visible and accessible by default. That design principle is wonderful for open-source portfolios and terrible for corporate dashboards.
Real-World Impact: Corporate Secrets, PII, and API Keys Left Exposed
If you are wondering what kind of data is actually leaking, the answer is: everything.
RedAccess found internal dashboards exposing customer databases, HR tools with unprotected employee records, and logistics apps revealing real-time shipment data. The Wired report specifically noted cases where vibe-coded apps served as ad-hoc CRMs and project-management tools for small businesses—complete with unauthenticated access to client names, emails, and contract values.
API keys are another trove. The Moltbook incident, uncovered earlier this year, showed how catastrophically bad a vibe coding security lapse can get. Moltbook, a vibe-coded “social network for AI agents,” left a Supabase API key hardcoded in its client-side JavaScript. Security researchers extracted it within minutes. The result? Exposure of 1.5 million API authentication tokens and 35,000 verified email addresses. One misconfigured key led to a dataset worth selling on dark-web markets.
Even when the leak is not immediately exploitable, it is discoverable. Public-facing .env files, exposed Supabase Row Level Security (RLS) policies set to false, and frontend code littered with commented-out credentials all show up in GitHub search, Shodan, and specialized security scanners like TruffleHog. Your vibe-coded app is not just insecure; it is indexed.
Why AI-Generated Code Is Particularly Vulnerable to Misconfiguration
Traditional software development usually involves at least one engineer who understands where secrets belong. Even in rushed startups, there is typically a developer who has been burned by a leaked key before and enforces .env discipline. Vibe coding removes that scar tissue from the loop.
AI-generated code is confident and verbose. It will generate a full-stack application with database connections, authentication hooks, and third-party integrations without ever pausing to ask whether the Supabase URL should be public. The model does not feel anxiety. It does not remember the last breach. It simply completes the pattern you described.
This creates a dangerous class of citizen developers who can ship production-grade complexity without production-grade literacy. They do not know what Row Level Security is, so when the AI-generated boilerplate disables it “for simplicity,” they do not notice. They do not know that frontend environment variables in Vite or Next.js prefixed with certain naming conventions get bundled into the client bundle. The AI probably does not warn them either.
A typical vulnerable pattern looks like this:
1 | // This lives in client-side React code |
That second argument is a service-role key with full database access, and it is now sitting in every visitor’s browser tab. The developer did not paste it there out of negligence; the AI scaffold included it, and deployment felt like success.
Best Practices for Securing Vibe-Coded Deployments
This is not an argument against vibe coding. The productivity gains are real, and the democratization of software creation is genuinely exciting. But speed without scaffolding is a house of cards. Here is how to harden it and improve your vibe coding security posture.
1. Audit Defaults Before Shipping
Every platform has a “make public” checkbox that is often pre-ticked. In Lovable, Base44, and similar tools, review the sharing settings before you copy the live URL into a presentation. If the app handles anything more sensitive than a to-do list, require authentication.
2. Never Trust Client-Side Secrets
If your AI assistant generates a Supabase, Firebase, or Stripe initialization block with a hardcoded key, stop. Move that key to a server-side API route or an edge function. The frontend should talk to your backend; your backend talks to the database.
3. Enable Row Level Security (RLS)
On Supabase specifically—one of the most common AI-generated stack choices—RLS is disabled by default. That means anyone with the project URL can read and write every table. The fix is a single SQL toggle, but you have to know it exists:
1 | alter table your_table enable row level security; |
4. Run a Pre-Deploy Secret Scan
Tools like GitLeaks, TruffleHog, or GitGuardian can scan your repository in under thirty seconds. The Frontend Secrets Report found that a staggering portion of leaks would have been caught by a basic pre-commit hook, making this step essential for vibe coding security. If your vibe-coding platform integrates with GitHub, add a GitHub Action for secret scanning. It costs nothing and saves everything.
5. Pass Through a CI/CD Gate
According to Nokod Security’s research, only 12% of low-code app commits ever pass through a CI/CD pipeline. That means nearly nine out of ten vibe-coded deployments hit production without automated testing, linting, or security review. If you are deploying for a business, wrap the process in even a minimal GitHub Actions workflow to enforce vibe coding security standards. A two-minute YAML file running gitleaks, npm audit, and a basic build check catches more than you would expect.
6. Segment Your Environment Variables
Vibe-coding assistants often generate one .env.example file and leave it to the developer to figure out the rest. Create separate variables for preview, staging, and production. Never reuse a production database key in a deploy preview. Netlify, Vercel, and Railway all support scoped environment variables—use them.
7. Treat Prototypes as Production
The most dangerous phrase in vibe coding is “just a prototype.” Prototypes get shared. They get indexed. They get forgotten while still running on a public URL. If the app touches real data, it is production, and vibe coding security standards should apply accordingly.
Vibe Coding Security: Speed Without Safety Is a Liability
The vibe-coding revolution is not going away. If anything, it is expanding. Zenity’s research already shows that 62% of enterprise copilot and low-code applications contain security vulnerabilities, and the number of vibe-coded apps is growing faster than any manual vibe coding security audit program can match.
That growth creates a dilemma. On one side, we have millions of new creators building software that would never have existed under traditional cost and skill barriers. On the other, we have an internet increasingly littered with orphaned, misconfigured, data-bleeding applications that their creators do not know how to maintain—let alone secure.
The Wired investigation is not just a headline. It is a warning that the tooling has outpaced the literacy. We built a world where anyone can ship, but we have not yet built the guardrails that ensure what gets shipped does not become tomorrow’s breach notification.
If you are vibe coding, enjoy the speed. But do not confuse deployment with safety. The app that took you ten minutes to build can leak ten years of trust in ten seconds. Investing in vibe coding security today is the only way to keep tomorrow’s headlines from featuring your codebase.
References and further reading
- WIRED: “Vibe Coding Security: Thousands of AI-Built Apps Leak Corporate Secrets” (May 2026) — the primary source for the RedAccess findings
- GitLeaks — open-source secret scanner
- TruffleHog — secrets detection tool
- GitGuardian — secrets monitoring platform
- Supabase Row Level Security docs
- Lovable
- Replit
- Netlify
- Vercel
Please let us know if you enjoyed this blog post. Share it with others to spread the knowledge! If you believe any images in this post infringe your copyright, please contact us promptly so we can remove them.