DEV Community: Stefan Lederer The latest articles on DEV Community by Stefan Lederer (@stefan_lederer_8b1bbcef01). https://dev.to/stefan_lederer_8b1bbcef01 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3897177%2Ff0a3e780-29b5-498b-a281-e5a45aa13d24.png DEV Community: Stefan Lederer https://dev.to/stefan_lederer_8b1bbcef01 en We scanned 1,764 vibe-coded apps. 453 had critical vulnerabilities. Here's what we found beyond Supabase RLS. Stefan Lederer Sat, 25 Apr 2026 08:17:16 +0000 https://dev.to/stefan_lederer_8b1bbcef01/we-scanned-1764-vibe-coded-apps-453-had-critical-vulnerabilities-heres-what-we-found-beyond-464e https://dev.to/stefan_lederer_8b1bbcef01/we-scanned-1764-vibe-coded-apps-453-had-critical-vulnerabilities-heres-what-we-found-beyond-464e <p>We just finished scanning 1,003 vibe-coded apps across Lovable, Bolt, Replit, Vercel, Streamlit, Heroku, and others. The Supabase RLS story is well-documented by now — 7% of Lovable apps and 6% of Bolt apps have tables wide open. But RLS accounted for 183 of our 190 CRITs. The other 7 came from finding classes that are arguably worse. </p> <h2> 1. IDOR — health records accessible by incrementing an ID </h2> <p>Two Replit apps had IDOR vulnerabilities:</p> <ul> <li> <code>GET /api/bookings/{id}</code> returns any user's booking details by iterating the ID. No auth check.</li> <li> <code>GET /api/privacy-health/{id}</code> returns health-related records. Change <code>/bookings/1</code> to <code>/bookings/2</code>. No tools needed, just a browser. </li> </ul> <p><strong>Why vibe-coded apps are vulnerable:</strong> AI code generators create CRUD endpoints with sequential IDs and no authorization middleware <br> by default. </p> <h2> 2. OpenAI keys in public JS bundles </h2> <p>Two Bolt.host apps shipped live <code>sk-proj-*</code> keys in <code>/assets/index-*.js</code>. Anyone can burn their API credits.</p> <p>Our scanner flagged <strong>38 apps across all platforms</strong> with hardcoded API keys — 17 on Bolt.host (1 in 15), 18 on Vercel (1 in 4).</p> <h2> 3. Entire APIs with zero authentication </h2> <p>Two apps exposed full OpenAPI specs with <code>components.securitySchemes</code> entirely empty. Every endpoint callable without any token.</p> <h2> 4. Private key material in production JS </h2> <p>One Heroku app ships PEM-format private key material inside its static JS bundle. Webpack bundled a <code>.env</code> value into the client code. </p> <h2> 5. The hardcoded API key epidemic on Bolt.host </h2> <p>Across 251 Bolt.host apps</p> <ul> <li> <strong>17 apps (6.8%)</strong> had hardcoded API keys in JS </li> <li> <strong>18 of 67 Vercel AI apps (26.9%)</strong> — highest rate </li> <li> <strong>Lovable: zero.</strong> Their code gen routes calls server-side by default. </li> </ul> <h2> The pattern </h2> <p>AI coding tools optimize for "does it work?" not "is it safe?" The developer's prompt doesn't include "add auth middleware" because that's not a functional requirement. </p> <h2> Scan your own app </h2> <p>Enter your URL at <a href="https://securityscanner.dev" rel="noopener noreferrer">securityscanner.dev</a> — quick scan takes 10 seconds, no signup. Full 70-module scan:<br> one free, no card. </p> <p>Full report with per-platform data: <a href="https://securityscanner.dev/reports/2026-q2" rel="noopener noreferrer">securityscanner.dev/reports/2026-q2</a> </p>