The 8 most common security vulnerabilities in AI-generated code, ranked by prevalence. Learn what AI misses and how to fix it before attackers find it.
Find these issues in your codebase automatically.
Supabase tables created without RLS policies allow any user to read, write, or delete all data in the database.
AI tools create tables and queries but skip RLS configuration because it requires understanding your app's authorization model.
-- AI generates this (vulnerable) CREATE TABLE user_data (id uuid, user_id uuid, data text); -- But forgets this (required) ALTER TABLE user_data ENABLE ROW LEVEL SECURITY; CREATE POLICY "Users can only access own data" ON user_data FOR ALL USING ((select auth.uid()) = user_id);
Enable RLS on every table and create policies that restrict access based on the authenticated user's ID.
CVE-2025-48757: 170+ Lovable apps exposed due to missing RLS
API keys for OpenAI, Stripe, databases, and other services hardcoded directly in JavaScript/TypeScript files.
AI prioritizes making code work immediately. Hardcoding keys is the fastest path to functional code.
// AI generates this for convenience
const openai = new OpenAI({
apiKey: 'sk-proj-abc123...' // Exposed!
});
// Should use environment variables
const openai = new OpenAI({
apiKey: process.env.OPENAI_API_KEY
});Move all API keys to environment variables. Never commit secrets to source control.
Thousands of OpenAI keys leaked via GitHub repositories
Access controls implemented only in the frontend with JavaScript, easily bypassed by calling APIs directly.
AI generates UI code that hides admin features, but doesn't implement server-side authorization checks.
// AI generates client-side only check
{user.role === 'admin' && <AdminPanel />}
// But the API has no protection
app.get('/api/admin/users', (req, res) => {
return db.getAllUsers(); // No auth check!
});Always verify authentication and authorization on the server. Client-side checks are for UX only.
Multiple admin panel exposures in production vibe-coded apps
APIs that return data based on IDs without verifying the user is authorized to access that specific resource.
AI writes clean REST endpoints but doesn't add ownership verification to each data access.
// Vulnerable - no ownership check
app.get('/api/orders/:id', async (req, res) => {
const order = await db.getOrder(req.params.id);
return res.json(order); // Anyone can access any order!
});
// Fixed - verify ownership
app.get('/api/orders/:id', async (req, res) => {
const order = await db.getOrder(req.params.id);
if (order.userId !== req.user.id) return res.status(403);
return res.json(order);
});Add ownership checks to every data access. Verify the authenticated user owns the requested resource.
User data exposure in fintech vibe-coded application
Missing CSP, HSTS, X-Frame-Options, and other headers that protect against XSS, clickjacking, and other attacks.
AI focuses on application code, not deployment configuration. Security headers require infrastructure setup.
// Missing headers leave app vulnerable
// No Content-Security-Policy (XSS risk)
// No X-Frame-Options (clickjacking risk)
// No Strict-Transport-Security (MITM risk)
// Add in next.config.js or hosting config
headers: [
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'X-Frame-Options', value: 'DENY' },
{ key: 'Strict-Transport-Security', value: 'max-age=31536000' },
]Configure security headers in your hosting platform (Vercel, Netlify) or application config.
Common finding across 72% of scanned vibe-coded apps
User input concatenated directly into database queries, allowing attackers to execute arbitrary queries.
AI sometimes uses string interpolation for readability instead of parameterized queries.
// Vulnerable - string interpolation
const user = await db.query(
`SELECT * FROM users WHERE id = '${userId}'`
);
// Fixed - parameterized query
const user = await db.query(
'SELECT * FROM users WHERE id = $1',
[userId]
);Always use parameterized queries or ORMs. Never concatenate user input into SQL strings.
Database compromise via injection in vibe-coded e-commerce site
Authentication systems that accept short or simple passwords, making accounts vulnerable to brute force attacks.
AI uses default authentication settings that prioritize ease of use over security.
// AI default - no requirements
const { error } = await supabase.auth.signUp({
email, password // Accepts '123456'
});
// Should enforce requirements
if (password.length < 12) throw new Error('Password too short');
if (!/[A-Z]/.test(password)) throw new Error('Need uppercase');
if (!/[0-9]/.test(password)) throw new Error('Need numbers');Enforce minimum 12 characters with complexity requirements. Consider using a password strength library.
Account takeovers due to weak passwords in vibe-coded SaaS apps
User accounts created without verifying email ownership, enabling impersonation and fake accounts.
Email verification adds complexity to the signup flow. AI skips it for faster implementation.
// AI skips verification for simplicity
const { user } = await supabase.auth.signUp({ email, password });
// User immediately has full access
// Should require email confirmation
// Configure in Supabase dashboard:
// Authentication > Settings > Enable email confirmationEnable email verification in your auth provider. Don't grant full access until email is confirmed.
Fake account abuse in vibe-coded community platforms
VAS scans your vibe-coded application for all 8 vulnerability types. Get a detailed report with fixes in minutes.
Start Free Security ScanThe most common vulnerabilities are missing database access controls (RLS), exposed API keys in frontend code, client-side only authentication, and insecure direct object references (IDOR). These account for over 60% of all security issues found in vibe-coded applications.
AI coding tools are optimized for generating functional code quickly, not secure code. Security requires explicit configuration (like RLS policies), understanding of attack vectors, and defense-in-depth thinking that AI doesn't prioritize. AI takes shortcuts that work but aren't secure.
Run an automated security scanner like VAS before deployment. Manual code review focusing on authentication, database access, and API key handling also helps. Check every database table for RLS, every API endpoint for auth, and every file for hardcoded secrets.
No, these vulnerabilities exist in traditionally-coded apps too. However, vibe-coded apps have higher rates because AI consistently makes the same security mistakes. Human developers learn from security incidents; AI models repeat the same patterns.
Yes, but you must review and harden the generated code. Treat AI output as a first draft that needs security review. Run automated scans, configure database security, move secrets to environment variables, and add server-side validation before deploying.
Last updated: January 16, 2026