Vibe coding, building software by describing it in natural language and letting AI write the code, has taken the development world by storm. It's fast, it's fun, and it's shipping code with security vulnerabilities at rates that should keep every CISO awake at night.
Research consistently shows that 45% or more of AI-generated code contains OWASP Top 10 vulnerabilities (Veracode, 2026). The same study, which tested over 100 different large language models, found this failure rate unchanged across two years of rapid model improvements.
Here are the ten most dangerous security issues specific to vibe-coded applications, backed by research and real-world incidents.
Ready to transform your business?
Tell us what's blocked, what you're building, or where AI is slowing you down. We reply within one working day.
1. Prompt Injection: The AI-Specific Attack Vector
The problem: Vibe-coded applications often accept user input that gets fed back into AI models, chatbots, content generators, code analysers. Attackers can craft inputs that hijack the AI's behaviour, tricking it into revealing system prompts, executing arbitrary commands, or generating malicious output.
Why it's worse than traditional injection: Unlike SQL injection, which has well-understood mitigation patterns, prompt injection is a new vulnerability class that most developers don't know how to defend against. OWASP now includes prompt injection at the top of its LLM Application Security Top 10.
Real incidents: CVE-2025-54135 (CVSS 9.8) demonstrated that prompt injection in Cursor IDE's project README parsing could achieve remote code execution. CVE-2025-53773 showed that AI tools processing PR descriptions could be hijacked to execute arbitrary commands. Kaspersky's 2026 research documented prompt injection as the fastest-growing AI-specific attack vector, with a 320% year-over-year increase.
The fix: Treat all LLM-facing inputs as untrusted. Implement input sanitisation specifically for AI prompts. Never concatenate user input directly into system prompts.
2. Hardcoded Credentials and Secret Leakage
The problem: AI models are trained to produce *working* code first and *secure* code second. This means they frequently generate code with hardcoded API keys, database credentials, and internal URLs, because that's what "working" looks like in training data.
Why it's prevalent: A Truffle Security study found that LLMs actively *teach* developers to hardcode API keys, embedding insecure patterns in tutorial code and documentation. Escape.tech's 2026 analysis of 1,400 vibe-coded production applications found 400+ leaked secrets including cloud provider credentials, database passwords, and internal service tokens.
The fix: Implement automated secret scanning as a pre-commit hook. Use environment variables and secret management services. Never commit AI-generated code without running a secrets detector.
3. Hallucinated Dependencies and Supply Chain Attacks
The problem: When you ask an AI to "add a markdown parser" or "implement PDF generation," it often hallucinates package names, suggesting dependencies that don't exist in any registry. Attackers can register these hallucinated package names, creating a direct supply chain attack vector.
Why it's dangerous: Lasso Security's research found that 34% of AI-suggested package names are hallucinations. A USENIX Security 2025 paper ("We Have a Package for You!", Spracklen et al.) confirmed this finding at scale. A separate study (arXiv:2410.06462) demonstrated a "Hallucinating AI Hijacking Attack" where attackers weaponise these hallucinations by pre-registering likely hallucinated package names.
The fix: Verify every dependency against a trusted registry before installing. Pin all dependency versions. Use package provenance verification tools. Never blindly run `npm install` or `pip install` on an AI-generated requirements file.
4. Input Validation Failures and Injection Vulnerabilities
The problem: AI models consistently fail to implement proper input validation. A 2025 study by Dinis Cruz demonstrated that ChatGPT-generated code was consistently vulnerable to SQL injection, even when explicitly asked to generate secure code. The model produced syntactically correct queries that were trivially exploitable.
Why it persists: Input validation is boring, repetitive, and doesn't contribute to the feature the developer asked for. The AI optimises for the visible outcome (does the form submit?) not the invisible security property (is the input sanitised?). Veracode's 2026 study confirmed that injection vulnerabilities remain the most common OWASP Top 10 violation in AI-generated code.
The fix: Never trust AI-generated input handling. Implement parameterised queries for all database operations. Apply strict input validation and output encoding, and verify it manually.
5. Insecure Authentication Implementations
The problem: Vibe-coded applications often implement authentication using flawed patterns: hardcoded session secrets, weak password hashing (or none at all), missing rate limiting on login endpoints, and session fixation vulnerabilities.
Why it's widespread: AI models trained on public repositories learn from projects that "work" for demo purposes, hardcoded admin passwords, MD5 hashing, and session tokens stored in local storage. These patterns are fine for prototypes but catastrophic in production. Apiiro's 2026 research documented a 322% increase in privilege escalation vulnerabilities in AI-generated code at Fortune 50 enterprises.
The fix: Use established authentication libraries rather than AI-generated auth code. Never accept AI-generated session management without review. Implement proper password hashing (bcrypt or Argon2), rate limiting on auth endpoints, and secure session storage.
6. Insecure Direct Object References (IDOR)
The problem: AI models don't understand access control. When generating API endpoints, they consistently fail to implement authorisation checks. The result is applications where any authenticated user can access any other user's data by simply changing an ID parameter.
Why it's hard to detect: IDOR vulnerabilities are business logic flaws, not coding errors. They pass static analysis, functional tests, and even most security scanners. They only manifest when an attacker understands the application's data model, which an AI doesn't.
The fix: Implement authorisation checks on every API endpoint explicitly. Use role-based access control patterns. Never assume that an AI-generated endpoint has proper authorisation, verify it endpoint by endpoint.
7. Cross-Site Scripting (XSS) in AI-Generated Frontends
The problem: AI models generate frontend code that renders user-supplied content without proper escaping. This creates classic stored and reflected XSS vulnerabilities, but at a much higher rate than human-written code.
Why it's systematic: The AI isn't "thinking" about whether a template variable could contain malicious HTML. It's generating the most statistically likely code pattern, and in the training data, unescaped template variables are common. A 2025 study by researchers at Georgia Tech found that XSS vulnerabilities were the second most common vulnerability class in AI-generated web applications.
The fix: Use frameworks with automatic output escaping. Never accept AI-generated template rendering without verifying that user content is properly escaped. Implement Content Security Policy headers as a defence-in-depth measure.
8. Missing Rate Limiting and Denial-of-Service Vulnerabilities
The problem: AI-generated APIs almost never include rate limiting, request throttling, or any kind of DoS protection. A vibe-coded application deployed to production can be taken offline by a single attacker with a simple loop.
Why it's overlooked: Rate limiting is an operational concern, not a functional one. The AI generates code that meets the functional requirement ("accept form submissions") and doesn't consider operational requirements ("but only 10 per minute per user"). Escape.tech's 2026 analysis found that 84% of vibe-coded APIs lacked any form of rate limiting.
The fix: Add rate limiting middleware to all API endpoints. Implement request size limits. Use a Web Application Firewall (WAF) in front of vibe-coded applications. Never deploy a vibe-coded API without operational hardening.
9. Over-Privileged Cloud Configurations
The problem: When AI generates cloud infrastructure code (Terraform, CloudFormation, Pulumi), it consistently creates over-privileged roles and open security groups. The AI generates configurations that "work", everything has full access, all ports are open, without understanding the principle of least privilege.
Why it's catastrophic: Infrastructure-as-Code vulnerabilities affect every application deployed on that infrastructure. A 2025 Wiz Research study found that 20% of AI-generated Terraform configurations contained privilege escalation paths. Once deployed, these misconfigurations are invisible to application-layer security testing and can persist undetected for years.
The fix: Never deploy AI-generated infrastructure code without review. Use policy-as-code tools (Open Policy Agent, Checkov) to enforce least privilege. Apply the principle of least privilege manually to every IAM role and security group.
10. The Perception Gap: Why Developers Don't Know Their Code Is Vulnerable
The problem: Perhaps the most dangerous issue isn't a technical vulnerability at all, it's the widespread belief that AI-generated code is *more* secure than human-written code. Snyk's 2025 research found that 80% of developers hold this belief, despite every security benchmark proving the opposite.
Why it's the root cause: The perception gap prevents organisations from implementing the security processes they need. If developers believe AI output is inherently secure, they won't review it, won't test it, and won't question it. The arXiv:2512.03262 study confirmed that adding explicit security hints to prompts did not improve code security, the model simply doesn't have the security reasoning capability, no matter how you phrase the request.
The fix: Treat security training as a prerequisite for AI-assisted development. Implement mandatory security gates that apply equally to AI-generated and human-written code. Measure and report on vulnerability rates in AI-generated code to build organisational awareness.
The Bottom Line
The ten issues above are not theoretical. They are documented, measured, and actively exploited in production applications today. The arXiv:2512.03262 study's conclusion is worth repeating: "Our findings raise serious concerns about the widespread adoption of vibe-coding, particularly in security-sensitive applications."
The solution isn't to stop using AI coding tools. The productivity gains are too significant, and the competitive pressure to move faster is too intense. The solution is to implement the governance, testing, and review processes that make AI-generated code safe for production.
At Confuse The Machine, we help organisations bridge the gap between AI speed and production security. We audit vibe-coded applications, implement security testing gates, and build the governance frameworks that let teams move fast without breaking things.