Independent Research · May 2026

State of Vibe-Coded Security 2026

We analyzed 100+ apps built with Lovable, Bolt, Cursor, Claude, and v0. The findings are consistent across every independent audit: AI tools build fast, and the security defaults are not enough.

Scan my app freeRead the guides →
87%

of AI-built apps have High or Critical vulnerabilities

Across 40+ apps audited independently by PreBreach (2025–2026). Consistent with findings from VibeWrench (100 apps, avg grade D) and Lorikeet Security.

72%

expose API keys in client-side JavaScript

65%

have missing or misconfigured Supabase RLS

100%

of fully audited apps had exploitable flaws

Methodology

This report synthesizes findings from published third-party audits, CVE disclosures, and community-reported incidents. The data comes from:

  • PreBreach — 40+ AI-built apps audited with OWASP Top 10 methodology (2025–2026)
  • VibeWrench — 100 apps scanned, 318 vulnerabilities found, average security grade D
  • ShipSafe — Cursor-specific analysis: 67% of audited apps had critical vulnerabilities (March 2026)
  • Lorikeet Security + Sherlock Forensics — independent full audits confirming 100% exploitable flaw rate
  • CVE database — CVE-2025-48757, CVE-2025-54136, CVE-2025-55182, CVE-2025-59536 and related disclosures
  • Published incident reports: Moltbook, Enrichlead, Base44, OpenClaw plugin attack

What we did not do: exploit live apps, access private user data, or conduct unauthorized testing. All findings are from published sources and opt-in audits. This is a fast first-pass review — not a penetration test — and cannot prove any specific app is fully secure.

Six findings across every audit

These patterns appear consistently across Lovable, Bolt, Cursor, and Claude-generated code.

01

Exposed secrets in client-side code

CRITICAL
72%

API keys, database connection strings, Stripe secrets, and third-party tokens embedded directly in JavaScript bundles served to every visitor. AI tools generate working code — the fastest path is often to put credentials inline.

Real incident:Enrichlead (Cursor-built): Compromised within days of launch. Subscription logic bypassed and API keys maxed out. The attack vector was a plaintext key visible in the bundled JavaScript.
Also:r/nextjs: A developer discovered their Postgres connection string, Stripe secret, SendGrid key, and AWS key had been live in their production bundle for three weeks.
Fix:Move all credentials to environment variables server-side. Run VibeScan to check whether your deployed bundle exposes anything now.
02

Missing security headers

HIGH
86%+

HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy are absent on the majority of AI-built apps. These headers are not set by AI tools by default — they require explicit configuration. Without them, browsers cannot enforce the protections they are designed to provide.

Real incident:VibeWrench benchmark: 86%+ of 100 scanned apps returned no meaningful security headers. Average security grade: D.
Fix:Add security headers to your deployment config. For Vercel, add a headers() block in next.config.js. VibeScan checks these on every URL scan.
03

Supabase RLS misconfiguration

CRITICAL
65%

Row Level Security is enabled — but the policies say USING (true), which grants every row to every user regardless of who they are. AI tools generate syntactically correct RLS policies that are semantically open. Developers see "RLS enabled" and assume they are protected.

Real incident:CVE-2025-48757 (Lovable, April 2026): A backend regression re-enabled public project access. Any free account could read other users' projects, source code, and database credentials — affecting every project created before November 2025. Over 170 apps potentially exposed.
Also:Moltbook (Lovable-built): 35,000 emails, 1.5 million API tokens, and private messages leaked — including plaintext OpenAI keys.
Fix:Audit every RLS policy. USING (true) means open to everyone. The correct pattern is USING (auth.uid() = user_id). VibeScan checks public Supabase surface exposure.Full guide →
04

Auth gaps and inverted logic

HIGH
31–58%

31% of AI-generated apps have inverted authentication logic — a missing ! operator that blocks authenticated users while permitting anonymous ones. A separate 58% have no rate limiting on auth endpoints. Frontend-only role checks (the UI hides the admin panel but the API does not verify) affect 28%.

Real incident:ShipSafe analysis (March 2026): 67% of Cursor-built apps audited had at least one critical vulnerability. Inverted auth was found in 31% — a logical inversion that passes linting, unit tests, and code review because the code is syntactically correct.
Fix:Review every route guard. If the condition checks role or authentication, verify the logic inverts correctly. VibeScan checks for common auth exposure patterns on public endpoints.
05

Exposed admin and debug endpoints

HIGH
45%

Admin panels, debug routes, and internal API endpoints left publicly accessible. AI tools generate scaffolding quickly — routes intended for internal use often have no authentication guard applied because the developer did not specify one.

Real incident:Base44 BOLA (Broken Object Level Authorization): Admin endpoints accessible without authentication. Attackers could enumerate and modify other users' resources by iterating over predictable IDs.
Fix:Audit every route in your app. Any route that reads or writes user data must verify session and ownership server-side — not just hide the UI. VibeScan checks for common exposed endpoint patterns.
06

Vulnerable dependencies and supply chain

HIGH
Growing

Outdated packages with known CVEs, malicious MCP server integrations, and plugin injection attacks. AI tools recommend and install packages based on training data — which may include deprecated or compromised packages. MCP integrations introduce a new attack surface that has no existing tooling.

Real incident:CVE-2025-54136 (Cursor): A malicious MCP configuration file triggers remote code execution. No user interaction beyond opening a project required.
Also:OpenClaw plugin attack: 1Password tokens exfiltrated through a compromised Cursor plugin. Developers who installed the plugin granted filesystem access to the attacker.
Fix:Audit installed packages and MCP integrations before shipping. Paste your lockfile into VibeScan for exact-version CVE matching against known advisories.

Platform breakdown

The same vulnerability classes appear across every platform. The differences are in severity and public disclosure history.

PlatformTop issueCVEsRisk
LovableRLS misconfiguration + BOLA170+ apps exposed in April 2026 incidentCVE-2025-48757High risk
BoltMissing security headersNo independent security analysis published yetNone filed publiclyUnanalyzed
CursorRCE via MCP + inverted auth67% of audited apps had critical vulnerabilities (ShipSafe)CVE-2025-54136, CVE-2025-54135High risk
Claude / Claude CodeMCP RCE + auth endpoint gapsMCP file bypass and RCE disclosed Feb 2026 (Check Point)CVE-2025-59536, CVE-2025-59944Medium risk
v0 / VercelReact Server Component data leaksReact2Shell: source disclosure + DoS in Next.js 15–16 (Dec 2025)CVE-2025-55182, CVE-2025-55184Medium risk

Who is most at risk

Solo founders shipping to real users

Building fast is the point of AI tools — but the gap between 'it works' and 'it is secure' is widest when there is no second set of eyes on the code.

Apps that handle payments or auth

Stripe keys in client bundles, open RLS on a users table, and inverted auth on a subscription check. Any one of these is a critical incident.

Apps built by non-engineers

AI tools are explicitly marketed to non-technical builders. Security defaults that require developer configuration are invisible to this audience.

Apps deployed to production in under 48 hours

The faster the ship cycle, the fewer the checkpoints. The average vibe-coded app goes from idea to live URL in one session.

What to do before you launch

1

Run a URL scan on your deployed app

Check what your public surface actually exposes — headers, endpoints, bundle contents.

2

Audit every Supabase RLS policy

USING (true) is open to everyone. Every policy should scope to auth.uid() = user_id or equivalent.

3

Paste your lockfile and check CVEs

Your AI builder installed packages based on its training data. Some of those have known vulnerabilities now.

4

Check every route guard for inverted logic

If a condition gates by role or auth, read it twice. The missing ! is a common AI-generated mistake.

5

Verify security headers are set

HSTS, CSP, X-Frame-Options, X-Content-Type-Options. None are set by default in most AI-generated apps.

6

Move all credentials server-side

If a key is referenced in a client component or exported from a route, it is in the browser bundle.

Free audit

Get a free full report for your app

We’re running free audits with early users. Leave your email and we’ll send you the full paid-tier report — fix prompts included, no credit card needed.

No spam. Unsubscribe any time. Spots are limited.

Check your own app

Free scan in 30 seconds. Paste a URL, your AI builder output, or a lockfile. No GitHub access needed.

Scan my app

Free preview · Fix prompts and recheck from $9

Not a penetration test. Fast first-pass review of your public surface and the artifacts you provide.

Sources

  • PreBreach — OWASP Top 10 in AI-Generated Code (Feb 2026) · prebreach.dev
  • VibeWrench — 100 App Security Benchmark (2025–2026) · vibewrench.dev
  • ShipSafe — Cursor Security Risks: 67% Have Critical Vulnerabilities (Mar 2026) · ship-safe.co
  • Lorikeet Security + Sherlock Forensics — independent AI-app audit reports (2025–2026)
  • Lovable — Our Response to the April 2026 Incident (Apr 2026) · lovable.dev/blog
  • CVE-2025-48757 — Lovable BOLA: unauthorized project access
  • CVE-2025-54136 — Cursor RCE via malicious MCP file
  • CVE-2025-55182 — React2Shell: Next.js Server Component source disclosure
  • CVE-2025-59536, CVE-2025-59944 — Claude Code MCP RCE + file bypass (Check Point, Feb 2026)
  • Stanford / Perry et al. (2024) — Developers using AI assistance produce less secure code