Back to feed
Dev.to
Dev.to
5/11/2026
I Audited 50 Vibe-Coded Apps. Here's What Broke.

I Audited 50 Vibe-Coded Apps. Here's What Broke.

Short summary

Security audit of 50 production AI-generated apps (Lovable, v0, Bolt, Cursor, Claude Code) found five critical vulnerabilities: Row Level Security disabled in 70%, secrets leaked via NEXT_PUBLIC_ variables in 78%, inverted auth checks, unscoped AI agent tokens with drop-database capability, and prompt injection via unsanitized input. Includes grep detection commands and concrete SQL/code fixes for each.

  • 70% of audited apps had Supabase RLS disabled; NEXT_PUBLIC_ secrets exposed in 78%
  • Inverted auth logic, unscoped agent tokens, and direct prompt injection found across deployments
  • Each vulnerability includes detection commands (grep patterns) and fix code with real CVE references

Generated with AI, which can make mistakes.

#ai-tools#ai-agents
Read full article at Dev.to

Is this a good recommendation for you?

Explore more

I scanned my own Supabase project and found 17 tables anyone could read with the anon key
Dev.to
New tool audits Supabase, Firebase, Appwrite, PocketBase, Nhost security leaks
Dev.to
Beyond the Vibe: Why “Secure by Default” is the Only Way to Build in 2026
Dev.to
Your AI-generated code works. It's probably not production ready.
Dev.to