TL;DR
After scanning 100 projects built with AI coding tools (Cursor, Bolt, v0, Lovable, etc.), I found consistent vulnerability patterns. 78% had exposed API keys, 65% lacked rate limiting, 52% had broken authentication. AI tools are great at generating functional code but consistently miss security best practices unless explicitly prompted.
Vibe coding is amazing. You describe what you want, and AI generates a working application. But does working mean secure? I scanned 100 projects to find out, and the results were eye-opening.
The Numbers
These aren't cherry-picked examples. They're consistent patterns across projects built with different AI tools, by developers of varying experience levels.
Top 5 Vulnerabilities in Vibe Coded Projects
1. Exposed API Keys (78% of projects)
The most common issue by far. API keys for OpenAI, Stripe, Supabase, and other services hardcoded in client-side JavaScript or committed to repositories.
AI tools generate working code based on documentation examples, which often show inline API keys for simplicity. Without explicit prompting about environment variables, the AI takes the path of least resistance.
2. Missing Rate Limiting (65% of projects)
API endpoints that can be called unlimited times, vulnerable to abuse, scraping, and DDoS-like attacks. Particularly dangerous for AI-powered features with per-request costs.
3. Authentication Issues (52% of projects)
Common problems included:
- JWT tokens stored in localStorage (vulnerable to XSS)
- Missing session expiration
- User enumeration via login error messages
- Password reset tokens that don't expire
4. No Input Validation (47% of projects)
User input passed directly to database queries, APIs, or rendered in HTML without sanitization. Creates XSS, SQL injection, and NoSQL injection vulnerabilities.
5. Broken Access Control (41% of projects)
Users able to access or modify other users' data by changing IDs in URLs or API requests. The classic IDOR (Insecure Direct Object Reference) vulnerability.
Why AI Misses Security
AI coding tools are trained to generate functional code that accomplishes the stated goal. Security is often implicit in professional development but explicit prompting is required for AI:
- User asks for "a user login system" not "a secure user login system with rate limiting, proper session management, and protection against common attacks"
- Documentation examples prioritize clarity over security
- AI optimizes for working code, not defensive code
- Security edge cases aren't part of typical feature requests
- Explicitly mention security requirements in your prompts
- Ask AI to "review this code for security vulnerabilities"
- Use follow-up prompts: "What security issues might this have?"
- Always scan generated code before deployment
- Don't assume AI knows best practices - verify
- Add security-specific prompts: "use environment variables for secrets"
The Good News
Most vulnerabilities in vibe coded projects are fixable with straightforward changes. The issues aren't architectural nightmares - they're missing best practices that can be added after the fact:
- Move API keys to environment variables
- Add rate limiting middleware
- Implement proper input validation
- Add authorization checks to API endpoints
- Use secure session management
The key is catching these issues before deployment, not after your first security incident.
Which AI coding tools generate the most secure code?
In my testing, security varied more by prompt quality than by tool. All tools generated insecure code with basic prompts and improved significantly with security-specific prompts. No tool is secure by default.
::
Should I stop using AI for coding?
No. AI coding tools dramatically increase productivity. Just add security review to your workflow. Think of AI as a very fast junior developer who needs code review before anything goes to production.
How do I prompt AI for secure code?
Be explicit: "Create a login system with rate limiting, secure session management, protection against brute force attacks, and proper password hashing using bcrypt." Also ask follow-up questions about security specifically.
::
Find the vulnerabilities AI missed before attackers do.
Check Your Vibe Now