Security Firm Identifies Hundreds of Thousands of Exposed Web Assets on Vibe-Coding Platforms
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON, May 29 (AP) — Security researchers have identified more than 380,000 publicly accessible web assets on emerging "vibe-coding" platforms, revealing that over 2,000 corporate-built applications lack access controls and expose sensitive data across six continents.
The findings, released Thursday by Red Access, highlight a growing vulnerability in the rapidly expanding sector of low-code development tools that allow non-developers to build and publish applications without traditional security guardrails or IT oversight. The exposed assets include internal dashboards, customer data repositories, and administrative interfaces that were intended for restricted access.
Vibe-coding platforms have gained traction among businesses seeking to accelerate digital transformation by enabling employees to create software solutions quickly. However, the speed of deployment often bypasses standard security protocols, leaving critical systems open to unauthorized access. The research indicates that many of these applications were deployed without authentication mechanisms, allowing anyone with the correct URL to view or manipulate sensitive information.
The scope of the exposure spans multiple industries, including finance, healthcare, and retail. In several instances, the exposed data included personally identifiable information, financial records, and proprietary business intelligence. Security experts warn that the lack of access controls on these platforms creates significant risks for data breaches and regulatory non-compliance.
Red Access researchers noted that the issue is not limited to a single platform or region. The 380,000 identified assets were distributed across North America, Europe, Asia, Africa, South America, and Oceania. The 2,000 corporate applications identified represent a fraction of the total ecosystem, suggesting the problem may be more widespread than currently understood.
The discovery comes as organizations increasingly rely on citizen developers to meet business needs. While these tools offer efficiency and cost savings, they also introduce new security challenges that traditional IT departments are not always equipped to manage. The absence of centralized oversight means that security policies are often inconsistent or entirely absent.
Industry analysts say the findings underscore the need for better governance around low-code and no-code development. Companies are being urged to implement stricter controls, including mandatory security reviews and automated scanning tools, before deploying applications to production environments.
Red Access has notified affected organizations and is working with platform providers to address the vulnerabilities. However, the researchers caution that the pace of new application creation may outstrip the ability of security teams to keep up.
The full extent of the data exposure remains unclear, and it is unknown how many of the exposed assets have been accessed by malicious actors. As the use of vibe-coding platforms continues to grow, the question of how to balance innovation with security remains unresolved.