Article

Your Vibe-Coded App Just Had a Security Breach. Here's Why It Was Inevitable.

AI coding tools generate functional code, not secure code. If your app was built primarily with AI, a security audit is not optional — it's urgent.

Security isn't a feature you add. It's a property of every decision made while building. AI tools optimize for making things work, not making things safe. The result is a predictable set of vulnerabilities that show up in almost every AI-built codebase.

RedAccess told Axios it found 380,000 publicly accessible assets built with vibe-coding tools, including about 5,000 containing sensitive corporate data.

The Moltbook breach exposed about 1.5 million API authentication tokens. Georgia Tech researchers reported that March 2026 alone had 35 CVEs tied to AI-generated code, more than all of 2025 combined.

The 5 Most Common AI-Generated Security Vulnerabilities

1. No Row Level Security on the database.

The most common single vulnerability in Supabase, Firebase, and similar BaaS stacks. The AI creates tables and queries but doesn't implement RLS policies. Any authenticated user can read any other user's data with the right query.

2. API keys hardcoded in frontend code.

The Moltbook breach exposed 1.5 million authentication tokens after a Supabase configuration exposed production data through client-accessible code. The AI-generated integration works, but the key ends up in inspectable frontend JavaScript or a public repository.

3. Missing authorization on API endpoints.

Authentication means "are you logged in?" Authorization means "are you allowed to do this?" AI tools reliably implement the first and miss the second. Result: any authenticated user can access another user's data or perform admin actions.

4. SQL injection via unsanitized inputs.

AI generates queries by string concatenation. It works until a user types malicious SQL into a form field and the app treats it as part of the query.

5. Sensitive data in logs.

AI-generated logging code frequently logs request objects in full — including passwords, tokens, and PII — to console or to a third-party logging service with no data masking.

What a Security Audit Actually Checks

A proper audit of an AI-built app covers:

  • Authentication and session management.
  • Authorization at every endpoint.
  • Database access controls, including RLS and permissions.
  • Secrets management, including no keys in code and no committed environment files.
  • Input validation and output encoding.
  • Dependency vulnerabilities, such as npm audit or bundler-audit equivalents.
  • Data exposure in logs and error messages.
  • HTTPS enforcement and cookie security flags.

A summary of NYU/CSET-cited research reports that 48% of generated code snippets from five commercial LLMs contained at least one MITRE CWE Top 25 vulnerability. That's the baseline you're working from.

What to Fix First

Immediate: do today.

  • Rotate any API keys that may have been exposed.
  • Add RLS policies to every database table.
  • Audit all endpoints for missing authorization checks.

This week.

  • Move all secrets to a secrets manager like AWS Secrets Manager, Doppler, or Vault.
  • Add input validation at every form and API boundary.
  • Review logging configuration and remove any sensitive field logging.

This month.

  • Commission a formal penetration test.
  • Implement a vulnerability disclosure policy.
  • Set up dependency scanning in CI/CD.

FAQ

How do I know if my API keys are exposed?

Search your git history for strings matching your key patterns. Search your compiled frontend bundle. Use tools like GitLeaks or TruffleHog on your repository.

Do I need a full penetration test or just a code review?

Both, in order. Code review first: cheaper, faster, and catches structural issues. Penetration test after the structural issues are fixed: tests what a real attacker would find. Running a pen test before a code review is expensive and produces a long list of things the code review would have caught anyway.

What's the liability exposure from a breach of an AI-built app?

GDPR fines can reach up to 4% of annual global turnover. CCPA fines can reach up to $7,500 per intentional violation. Class action exposure exists if user PII was exposed. Enterprise contract penalties may apply if you have data processing agreements. The liability exposure is real and scales with user count.

Can I claim my AI tool is responsible for the breach?

No. The developer who deployed the code is responsible for its security properties, regardless of how it was generated.

Need a security review?

If your app was primarily built with AI, the cheapest time to find security problems is before users, auditors, or attackers find them.

Apply for a 30-min intro call

Related: My vibe-coded app worked in demo. It broke in production. Now what?

Related: Your codebase works. Nobody understands it. That's the real problem.

Related: You built it with AI. Now it's broken and you can't fix it.

Related: An AI agent deleted your production database. Here's what happens next.

Related: Your AI coding bill is out of control. Here's how to fix it.

Related: You let your senior engineers go. Now nobody can review the AI output.