Vibe Coding Exposed 5,000 Apps With Sensitive Data. What Next?
On May 7, Axios reported that RedAccess had identified 380,000 publicly accessible assets built with platforms including Lovable, Base44, Replit, and Netlify, with about 5,000 containing sensitive corporate data. WIRED, covering the same findings, reported more than 5,000 vibe-coded web apps with little or no security, and said around 40 percent exposed sensitive information.
Business apps can now be published, connected to company data, and used in production before anyone has properly set access, checked visibility, or established ownership. Axios put the point plainly, saying these products are enabling employees without engineering or cybersecurity training to publish internal apps publicly, often without company oversight or basic access controls.
Thousands of apps were left open because governance came too late
This was not one vendor getting hacked. It was thousands of apps left exposed because visibility settings were weak, authentication was missing, or access was never tightened after build. Axios reported that some products made apps public unless users manually switched them to private. WIRED stated that many of the apps were easy to find because they were hosted on platform domains and indexed by Google and Bing.
This moves the conversation away from a single security incident and toward a broader governance issue. Once people can go live this easily, ordinary mistakes scale very fast. A page that should have stayed private gets shared, or a useful app ends up exposing records and documents no one intended to surface.
Medical data, finance records, and customer conversations were left open
The exposed information was not trivial. Axios independently verified apps showing shipping schedules, active clinical trials in the UK, full customer service conversations for a cabinet supplier, and internal financial information from a Brazilian bank. WIRED reviewed apps that appeared to expose hospital work assignments, ad buying data, strategy presentations, chatbot logs with customer names and contact details, cargo records, and assorted sales and financial records.
There is enough here to make the enterprise lesson obvious. Governance broke down.
Access control failed first
Access control is the immediate failure here because these apps were public, weakly authenticated, or visible to the wrong people. Governance is the bigger failure because it decides who gets to publish, which data an app can touch, how authentication is set, what review is required, and who owns the app once people start using it.
This is also why the story matters beyond the platforms named in the articles. The risk is not confined to one vendor or a single category. It shows what happens when software creation becomes easier than oversight, and when an app reaches production before the business has answered basic questions about visibility, approval, and accountability.
Salesforce already has rules for who should see what
For Salesforce teams, this gets concrete very quickly. Salesforce already separates object and field access from record visibility. Permission sets, permission set groups, and profiles control object-level and field-level security, while record-level sharing settings, user roles, and sharing rules dictate which records users can view and edit.
The moment a vibe-coded experience sits in a separate app layer, that model has to be recreated somewhere else, or it gets watered down in the rush to launch. That is where enterprises start accumulating duplicate access logic, disconnected authentication, weaker auditability, and a second place for sensitive data to surface. For teams that run customer operations, approvals, service work, and revenue processes in Salesforce, that is not a small architectural detail. It is the difference between controlled acceleration and preventable exposure.

Titan is built around Salesforce context, not broad data exposure
This is where Titan carves out its niche. Titan is a Salesforce First Web Studio for forms, portals, eSign, docs, and surveys, built directly on your CRM so teams can work from a single source of truth. Titan AI Studio is shaped around the same setup work admins already know well, including fields, styling, layout, interactions, and mapping elements to objects and data flows. It understands the build context without requiring teams to expose sensitive records to an external app layer.
That is the difference. Titan is built around configuration, not broad access to operational data just to generate an experience. Instead of creating a disconnected app first and cleaning up governance later, teams can build where the data model, workflow logic, and access rules already live. Salesforce stays at the center, and there is far less need to push records into a separate layer just to get a project off the ground.
Access should be built in before a page goes live
Titanβs SmartV Access Control lets teams define authenticated roles and control the data, actions, and elements each user can interact with inside the experience. In practice, that means access can be shaped before launch, not patched in after exposure.
That matters because enterprise experiences are rarely one-size-fits-all. A customer should see their own records and nothing else. A partner may need access to part of an account, but not to the broader business. An internal user may want to complete a workflow without inheriting blanket visibility into every connected record. SmartV gives Titan a practical way to enforce that level of control inside the experience itself.
Governed workflows matter as much as governed pages
The risk in this story is not only what someone can view. It is also what a workflow can trigger once the page is live. Titanβs workflow product is built around Salesforce data, with audit trails that log workflow actions and triggers that can start from objects, record updates, or user actions. Titan also frames those workflows as starting and ending in Salesforce, which is exactly the right model when control and visibility matter.
That is the part many AI app discussions still skip. A governed page is only half the job. Enterprise teams also need governed approvals, submissions, automation, and a clear audit trail around data. If the workflow is disconnected from the system of record, the governance gap simply reappears one step later.
Enterprise AI now has to prove it can control access
The 5,000 exposed apps are not just a bad headline for vibe coding. They are a sharper test for the next generation of enterprise AI products. The better question now is not whether AI can help produce an app. It is whether the app stays governed once it goes live.
For Salesforce teams, the answer should be clear. Keep the build close to Salesforce, access inside the experience, and workflows tied to the system that already holds the rules. That is the case for Titan in this moment, and it is stronger than any grandiose claim about speed. Enterprise AI will be judged on control, visibility, and trust long after the first draft is generated.
Disclaimer: The comparisons listed in this article are based on information provided by the companies online and online reviews from users. If you found a mistake, please contact us.
You might be interested in
Writing Your First Notarized Letter Like a Pro
How to Remove Track Changes in Word
Signee Vs. Signer Vs. Signatory: What are They?
All-in-One Web Studio for Salesforceβ¨