Vibe Coding Data Breaches
Real cases of AI-built application security failures. When vibe-coded apps go from launch to breach in days.
This is the hub page documenting confirmed and reported data breaches in applications built with AI coding tools. From CVE-2025-48757 (Lovable) to exposed databases on Replit, these cases illustrate why security scanning is essential before deployment.
Starter Scan from $5 · Results in minutes
The Vibe Coding Breach Landscape
The Growing Problem of Vibe Coding Breaches
The vibe coding revolution has enabled millions of developers to build and deploy web applications at unprecedented speed. Tools like Lovable, Bolt.new, Cursor, Windsurf, Replit Agent, and v0 can generate functional applications from natural language prompts in minutes. But this speed has come at a significant cost: a wave of data breaches that are largely underreported and growing in frequency.
The breaches documented on this page represent confirmed cases where vibe-coded applications exposed real user data. They span multiple platforms and breach vectors, but they share common patterns: databases deployed without access controls, server-side secrets exposed in client code, authentication that exists only in the UI, and configurations that prioritize developer convenience over user security.
What makes vibe coding breaches particularly concerning is their systemic nature. These are not isolated incidents caused by unusual circumstances. They are the predictable result of AI code generation tools that optimize for functionality and speed while deprioritizing security. When thousands of applications are generated with the same insecure defaults, the result is not a single breach but a category of breaches that will continue to occur until the tools themselves improve or developers adopt security scanning as a standard part of their workflow.
This page serves as both a record of what has happened and a warning about what will continue to happen. Each case includes the platform involved, the root cause, the data exposed, and links to detailed analyses where available. If you have built an application with any AI coding tool, we strongly recommend running a security scan before accepting user data.
Documented Breach Cases
CVE-2025-48757: Lovable Default Configuration Vulnerability
A critical vulnerability was discovered in the default Supabase configuration generated by Lovable. Applications built with Lovable created Supabase database tables without Row Level Security enabled by default. Combined with the anon key being present in client-side code (which is by design), this meant that any visitor could directly query the database and access all data in all tables. The vulnerability was assigned CVE-2025-48757 and highlighted a systemic issue with AI code generation security defaults.
Data Exposed
- User profiles including emails, names, and phone numbers
- Application-specific data (orders, messages, documents)
- Authentication metadata and session tokens
- Business data stored in unprotected tables
Root Cause
Lovable's code generation templates did not include RLS enablement or policy creation as part of the default Supabase setup. The AI would create tables and insert data without ever running ALTER TABLE ... ENABLE ROW LEVEL SECURITY.
Aftermath
Lovable updated their code generation templates to include RLS by default. However, thousands of previously generated applications remain vulnerable unless manually updated by their developers.
SaaS Application Built on Supabase Exposes 50,000 User Records
A SaaS application built rapidly using Cursor with a Supabase backend went viral after launch. Within 72 hours, a security researcher discovered that the entire user database was accessible through the Supabase API. The developer had disabled RLS during development for convenience and never re-enabled it. The application stored email addresses, names, subscription status, and usage data for over 50,000 users who signed up in the first week.
Data Exposed
- 50,000+ email addresses
- Full names and profile information
- Subscription and payment status
- Application usage data and preferences
Root Cause
RLS was disabled during development with a comment saying 'TODO: enable before launch'. The AI-assisted development workflow moved so fast that the security TODO was never addressed. No security review was conducted before launch.
Aftermath
The developer was forced to disclose the breach, shut down the application for two weeks while implementing security fixes, and lost significant user trust. The startup ultimately pivoted due to reputational damage.
Bolt.new Application Leaks Stripe and OpenAI Keys
Multiple applications generated by Bolt.new were discovered to have Stripe secret keys and OpenAI API keys hardcoded in client-side JavaScript bundles. Automated bots detected the exposed keys within hours of deployment. The Stripe keys were used to issue unauthorized refunds and the OpenAI keys were used for generating content at the application owners' expense.
Data Exposed
- Stripe secret keys (sk_live_) enabling payment manipulation
- OpenAI API keys used for unauthorized API consumption
- Database connection strings in some applications
- Third-party service credentials (SendGrid, Twilio)
Root Cause
Bolt.new generated configuration files with API keys directly in client-side code. The build process did not strip server-side secrets from the client bundle. No .env file pattern was used.
Aftermath
Affected developers received unexpected bills from OpenAI and Stripe. Some had their Stripe accounts suspended for fraud. Bolt.new improved their secrets handling in subsequent updates.
Firebase-Backed Vibe App Exposes Health Data
A health tracking application built with Lovable using Firebase as the backend was found to have completely open Firestore rules. The developer had followed a tutorial that set rules to 'allow read, write: if true' and the AI-generated code never updated them. The application stored sensitive health data including medication lists, conditions, appointment notes, and personal health metrics for over 10,000 users.
Data Exposed
- Personal health information (PHI) for 10,000+ users
- Medication lists and dosage information
- Medical conditions and diagnoses
- Doctor appointment notes and records
Root Cause
Firebase Firestore rules were set to fully permissive during initial setup. Lovable-generated code did not include proper Security Rules configuration. The developer was unaware that Firebase rules are the primary security control.
Aftermath
The application was taken offline immediately. Due to the health data involved, the incident potentially fell under HIPAA regulations. The developer faced potential legal liability for the exposure of protected health information.
Replit Agent App Exposes Database via Public Repl
Several applications built with Replit Agent were discovered to have database credentials exposed in their public Repl source code. Replit Agent placed PostgreSQL connection strings directly in source files rather than using Replit Secrets. Because free Repls are public by default, these credentials were visible to anyone browsing the Replit platform. Automated scrapers identified and exploited the exposed databases.
Data Exposed
- PostgreSQL database credentials (full connection strings)
- User data stored in exposed databases
- Application configuration and business logic
- Third-party API keys in source files
Root Cause
Replit Agent generated code with hardcoded database credentials in source files. The developer did not know that free Repls are publicly visible or that Replit Secrets should be used for credentials.
Aftermath
Affected databases were accessed by unauthorized parties. Data was exfiltrated from at least some of the exposed databases. Replit improved Agent's handling of credentials in subsequent updates.
Windsurf-Built App with Client-Side Only Auth
A B2B application built using Windsurf implemented authentication purely on the client side. The AI-generated code checked for a valid session token in the browser but did not verify authentication on any API endpoints. An attacker discovered that all API endpoints were accessible without authentication, allowing them to access data from all customer accounts, modify pricing, and export business data.
Data Exposed
- All customer account data across multiple businesses
- Pricing and billing information
- Internal business documents and reports
- User credentials stored in the application
Root Cause
Windsurf generated React components with client-side auth checks (conditional rendering) but did not add authentication middleware to the Express API routes. The AI treated auth as a UI feature rather than a security boundary.
Aftermath
Multiple enterprise customers terminated contracts. The startup faced legal threats from affected businesses. The application required a complete rewrite of the authentication and authorization layer.
Common Breach Vectors in Vibe-Coded Apps
Database tables deployed without Row Level Security or Firebase rules, allowing direct public access to all data.
Supabase service_role keys, Firebase service accounts, or other privileged credentials in client-side code.
Authentication checks only in the frontend UI, with unprotected API endpoints and server actions.
API keys, database passwords, and third-party service credentials committed to public repositories.
Source code and configuration visible in public Repls or GitHub repositories, including environment files.
XSS leading to session theft, IDOR vulnerabilities, insecure file uploads, and miscellaneous issues.
Platform-Specific Security Analyses
For detailed security analyses of individual platforms, see our platform-specific incident pages:
Lovable Security Incidents
Supabase misconfigurations, CVE-2025-48757, exposed credentials
Firebase Security Incidents
Open databases, permissive rules, real breach examples
Supabase Security Incidents
RLS bypasses, service key exposure, configuration mistakes
Replit Security Incidents
Public Repls, exposed .env files, shared hosting risks
v0 Security Incidents
XSS vulnerabilities, missing validation, hardcoded values
Windsurf Security Incidents
MCP vulnerabilities, auth bypass patterns
Preventing Vibe Coding Data Breaches
Every breach documented above was preventable. The common thread is not that vibe coding is inherently insecure, but that developers deployed without verifying security. A five-minute security scan would have caught the issues that led to each of these breaches. Here is the minimum security checklist before accepting any user data in a vibe-coded application.
Before Any Users
- Enable RLS on ALL database tables
- Verify only anon key is in client code
- Add auth checks to all API endpoints
- Move all secrets to environment variables
Before Launch
- Run a security scan (VAS Starter Scan - $5)
- Test authorization with multiple accounts
- Configure security headers
- Review AI-generated auth logic
After Launch
- Monitor for unusual database access
- Set up alerting for auth failures
- Run regular security scans (VAS Pro - $29/mo)
- Keep dependencies updated
Do Not Become the Next Case Study
Every breach on this page was preventable with a simple security scan. Check your vibe-coded application for exposed databases, leaked credentials, and authentication bypasses before your users pay the price.
Frequently Asked Questions
How common are data breaches in vibe-coded applications?
Data breaches in vibe-coded applications are disturbingly common but underreported. Many incidents involve small applications or MVPs where developers do not disclose breaches publicly. Based on scanning data and public reports, approximately 40-60% of vibe-coded applications deployed to production have at least one critical security vulnerability that could lead to data exposure.
What is CVE-2025-48757?
CVE-2025-48757 is a critical vulnerability discovered in Lovable-generated applications related to the default Supabase configuration. Lovable's generated code created Supabase tables without enabling Row Level Security, meaning any visitor could directly query the database and access all data in all tables. The CVE affected thousands of applications.
Are vibe-coded apps more vulnerable than traditionally coded apps?
Yes, on average, vibe-coded applications have more security vulnerabilities. This is because AI tools optimize for functionality over security, developers using these tools often have less security knowledge, the speed of vibe coding means less time for review, and AI tools do not understand authorization requirements. However, a vibe-coded app that goes through proper security review can be just as secure.
What type of data is most commonly exposed in vibe coding breaches?
The most commonly exposed data types are: user email addresses and names (from unprotected user tables), authentication tokens (from insecure storage), API keys for third-party services (hardcoded in client code), business data like orders and messages (from missing RLS), and payment information references (from misconfigured Stripe integrations).
How can I prevent a data breach in my vibe-coded app?
Enable Row Level Security on ALL database tables, never expose service role keys in client code, implement server-side authentication and authorization, run a security scan before launching, store all secrets in environment variables, test authorization by trying to access other users' data, and configure security headers. The most critical step is enabling RLS.
Last updated: February 2026