Back

Vulnerabilities in Vibe-Coded Applications Highlighted

Severity: Medium (Score: 51.9)

Sources: Strobes.Co, pr.report

Published: 2026-06-01 · Updated: 2026-06-01

Keywords: coding, vibe, software, tenzai, research, vulnerabilities, vibe-coded

Severity indicators: vulnerabilities

Summary

Recent analyses of vibe-coded applications reveal common security vulnerabilities due to the nature of AI coding agents. Tenzai's research identified 69 vulnerabilities across five popular coding agents, focusing on their ability to write secure code. Notably, while agents effectively avoided SQL injection and XSS vulnerabilities, they struggled with complex authorization issues, particularly in API access controls. Strobes.Co outlined five critical flaws consistently found in vibe-coded apps, emphasizing the absence of essential security measures like access control checks. These vulnerabilities stem from the AI's focus on functional output rather than security considerations. The findings indicate a significant risk for organizations relying on AI-generated code without thorough audits. Key Points: • Tenzai's study found 69 vulnerabilities in vibe-coded applications from five coding agents. • Common issues include broken access control and missing security measures in generated code. • AI coding agents excel at avoiding certain vulnerabilities but struggle with complex authorization.

Detailed Analysis

**Impact** Developers and organizations using vibe coding AI agents to build applications are affected, with a dataset of 69 vulnerabilities identified across multiple apps. The vulnerabilities primarily impact authorization controls, risking unauthorized data access and manipulation, particularly in e-commerce and administrative systems. The issues pose operational risks including data breaches, unauthorized transactions, and potential service disruptions. No specific geographic or sector-wide impact data is provided. **Technical Details** Vulnerabilities include broken access control (CWE-862), hard-coded credentials (CWE-798), and business logic flaws introduced by AI coding agents. Attack vectors involve missing or improperly enforced authorization checks on API endpoints, inline secrets in source code, and failure to implement ownership assertions. No malware or CVEs are specifically cited, but the vulnerabilities align with OWASP Top 10 categories such as Broken Access Control and Use of Hard-coded Credentials. Detection methods include static analysis with Semgrep and dynamic testing with tools like Burp Suite Repeater. **Recommended Response** Apply default-deny authorization middleware or guards to all routes, enforcing explicit permission checks rather than relying on implicit assumptions. Use secret management solutions and environment variables to eliminate hard-coded credentials, and scrub git history to remove exposed keys. Deploy static analysis tools (e.g., Semgrep) to detect missing auth decorators and secret leaks, and perform dynamic endpoint testing with session manipulation to confirm access control enforcement. Monitor for unauthorized API access and rotate any exposed credentials immediately.

Source articles (2)

  • 5 Vulnerabilities in Every Vibe-Coded App — Strobes.Co · 2026-05-29
    Vibe coding means building software by describing what you want to an AI assistant and accepting most of what it generates without hand-auditing every line. The security debt traces to one structural…
  • Tenzai's own research — pr.report · 2026-06-01
    Vibe coding has fundamentally changed how we create software. While coding agents deliver enormous benefits, their rapid adoption raises many important questions. As end-to-end AI-generated applicatio…

Timeline

  • 2025-12-01 — Tenzai conducts security analysis: Tenzai tested five coding agents, identifying 69 vulnerabilities in applications built with vibe coding.
  • 2026-05-29 — Strobes.Co publishes vulnerability findings: Strobes.Co detailed five recurring vulnerabilities in vibe-coded applications, highlighting access control issues.

Related entities

  • Brute Force (Attack Type)
  • Cross-site Request Forgery (csrf) (Attack Type)
  • Server-Side Request Forgery (ssrf) (Attack Type)
  • Sql Injection (Attack Type)
  • Cross-Site Scripting (xss) (Mitre Attack)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1021 - Remote Services (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1047 - Windows Management Instrumentation (Mitre Attack)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1055 - Process Injection (Mitre Attack)
  • T1056 - Input Capture (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1110 - Brute Force (Mitre Attack)
  • T1486 - Data Encrypted for Impact (Mitre Attack)
  • T1505.003 - Web Shell (Mitre Attack)
  • T1543.003 - Windows Service (Mitre Attack)
  • T1547 - Boot Or Logon Autostart Execution (Mitre Attack)
  • T1566.001 - Spearphishing Attachment (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • T1574 - Hijack Execution Flow (Mitre Attack)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-347 - Improper Verification of Cryptographic Signature (Cwe)
  • Cwe-352 - Cross-Site Request Forgery (csrf) (Cwe)
  • CWE-639 - Authorization Bypass Through User-Controlled Key (IDOR) (Cwe)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • Cwe-79 - Cross-site Scripting (xss) (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • Cwe-89 - SQL Injection (Cwe)
  • Cwe-918 - Server-Side Request Forgery (ssrf) (Cwe)
  • CWE-94 - Code Injection (Cwe)
  • controls.it (Domain)
  • Burp Suite (Tool)
  • Gitleaks (Tool)
  • Semgrep (Tool)
  • TruffleHog (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed