Vibe coding has lowered the barrier to shipping software to nearly zero. Anyone can go from idea to deployed app in hours using Bolt.new, Lovable, Cursor, or Claude Code. That is the upside.
The downside: AI models generate code that works, not code that is secure. A 2026 Checkmarx report found that 65% of AI-generated applications contain at least one critical security vulnerability. Trend Micro data shows 42% of AI-generated database queries are injectable. These are not theoretical risks — they are actively exploited in the wild.
This guide covers the 10 most common security risks in vibe-coded apps, with real statistics, explanations of why vibe coding causes them, and concrete fixes for each one. There is a deployment checklist at the end.
Exposed API Keys and Secrets
73% of vibe-coded repos on GitHub contain at least one exposed secret (Checkmarx 2026)
Why Vibe Coding Causes This
AI models generate code that works, not code that is secure. When you ask for a Stripe integration, the AI often hardcodes the API key directly in the source file. Vibe coders who do not understand environment variables push these secrets to public repos.
How to Fix It
Use .env files for all secrets. Add .env to .gitignore before your first commit. Use tools like git-secrets or trufflehog to scan for exposed credentials. Never hardcode API keys, database URLs, or tokens in source files.
SQL Injection Vulnerabilities
42% of AI-generated database queries are vulnerable to injection (Trend Micro 2025)
Why Vibe Coding Causes This
AI models frequently generate string-concatenated SQL queries instead of parameterized queries. When you say "build me a search feature," the model might write code that directly inserts user input into a SQL string.
How to Fix It
Always use parameterized queries or an ORM (Prisma, Drizzle, SQLAlchemy). Never concatenate user input into SQL strings. If the AI generates raw SQL, rewrite it with parameterized placeholders before shipping.
Missing Authentication and Authorization
38% of vibe-coded apps ship API routes with no auth checks (OWASP 2026)
Why Vibe Coding Causes This
You ask the AI to build an API endpoint and it builds one that works for the happy path. It rarely adds authentication middleware unless you specifically ask. Vibe coders often forget that every API route is publicly accessible by default.
How to Fix It
Add auth middleware to every API route that handles user data. Use a proven auth library (NextAuth, Clerk, Supabase Auth). Check both authentication (who are you?) and authorization (what can you access?) on every protected endpoint.
Cross-Site Scripting (XSS)
31% of AI-generated frontend code has at least one XSS vector (Checkmarx 2026)
Why Vibe Coding Causes This
AI models render user content without sanitization. When you build a chat feature or comment system, the model may use unsafe HTML rendering methods without proper escaping. User-submitted HTML, JavaScript, or Markdown becomes an attack vector.
How to Fix It
Never render raw user input as HTML. Use framework-native escaping (React auto-escapes JSX by default). When you must render HTML, use a sanitizer like DOMPurify. Validate and sanitize all user input on the server side.
Insecure Dependencies
Average vibe-coded project pulls 147 npm packages, 23% with known vulnerabilities (Snyk 2026)
Why Vibe Coding Causes This
AI models suggest packages based on training data, which may reference outdated or abandoned libraries with known CVEs. Vibe coders rarely audit their dependency tree because they did not choose the packages themselves.
How to Fix It
Run npm audit or yarn audit after every AI-generated dependency addition. Use Snyk or Dependabot for continuous monitoring. Prefer well-maintained packages with recent updates and active communities.
Get the Vibe Coding Cheat Sheet
Best tool for every use case + pricing + pro tips. One page, zero fluff. Plus weekly updates on new tools.
Missing Rate Limiting
67% of vibe-coded APIs have no rate limiting (OWASP 2026 Application Security Report)
Why Vibe Coding Causes This
Rate limiting is never part of the "build me a todo app" prompt. AI generates functional endpoints without any abuse protection. A single user can hammer your API, drain your database, or run up your serverless bill.
How to Fix It
Add rate limiting to all public API routes. Use libraries like express-rate-limit, Upstash Ratelimit, or Vercel Edge middleware. Set sensible limits: 100 requests per minute for general endpoints, 5 per minute for auth endpoints.
Overly Permissive CORS
54% of AI-generated backends use Access-Control-Allow-Origin: * (Trend Micro 2025)
Why Vibe Coding Causes This
When the AI hits a CORS error during development, it often fixes it by allowing all origins. This is fine for local dev but disastrous in production — any website can make authenticated requests to your API.
How to Fix It
Set CORS to allow only your production domain(s). Never use wildcard (*) with credentials. Configure CORS once in your middleware, not per-route.
No Input Validation
59% of AI-generated API handlers accept any input shape (Checkmarx 2026)
Why Vibe Coding Causes This
AI-generated code trusts the client. When you ask for a form handler, the model writes code that processes whatever the client sends without checking types, lengths, or formats. Malformed input crashes your server or corrupts your database.
How to Fix It
Validate all input on the server with Zod, Joi, or yup. Never trust client-side validation alone. Check string lengths, number ranges, required fields, and data types for every API endpoint.
Verbose Error Messages in Production
45% of vibe-coded apps leak stack traces to end users (OWASP 2026)
Why Vibe Coding Causes This
AI models generate detailed error messages for debugging convenience. These error messages expose file paths, database schemas, and internal logic to anyone who triggers an error.
How to Fix It
Use generic error messages in production. Log detailed errors server-side (use a service like Sentry, LogRocket, or Axiom). Return only error codes and safe messages to the client. Set NODE_ENV=production in your deployment.
Missing HTTPS and Security Headers
28% of vibe-coded deployments lack basic security headers (SecurityHeaders.com 2026 scan)
Why Vibe Coding Causes This
Deployment is often an afterthought in vibe coding. The AI builds the app, you deploy it, and nobody configures security headers. Missing headers like Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security leave your app vulnerable.
How to Fix It
Deploy behind HTTPS (Vercel, Netlify, and Cloudflare do this automatically). Add security headers in your middleware or server config. Use SecurityHeaders.com to scan your deployed site. Set Content-Security-Policy, X-Content-Type-Options, and Strict-Transport-Security at minimum.
Pre-Deployment Security Checklist
Run through this checklist before every deployment. Print it, bookmark it, or paste it into your project's README. Every item maps to one of the 10 risks above.
Tools That Catch These Issues
You do not need to catch every vulnerability manually. These tools automate the most important checks:
npm audit / yarn audit — Built-in dependency vulnerability scanning. Run after every install.
Snyk — Continuous dependency monitoring with auto-fix PRs. Free tier available.
trufflehog / git-secrets — Scans git history for exposed secrets, API keys, and tokens.
Sentry — Error tracking that captures production errors without exposing them to users.
SecurityHeaders.com — Free scanner that grades your site on security header configuration.
OWASP ZAP — Free open-source security scanner. Runs automated penetration tests against your app.
Explore the tools themselves
Compare 17 vibe coding tools, including security features and deployment options.