9 gaps between a vibe-coded prototype and production, with 2026 breach data
Summary. The Cloud Security Alliance published a research note on 6 April 2026 that puts numbers on something founders keep discovering the expensive way. Georgia Tech's Vibe Security Radar confirmed 74 AI-linked CVEs through March 2026, with monthly new CVEs rising from 6 in January 2026 to 35 in March, roughly a 6x increase in 3 months. Veracode tested more than 100 large language models across 80 coding tasks and found 45% of AI-generated samples failed security tests against the OWASP Top 10, with Java worst at 72%. Checkmarx put the insecurity rate as high as 70%. One default Firebase rule, allow read: if true, exposed 406 million records belonging to roughly 25 million users of Chat & Ask AI in January 2026. None of this means the prototype was a mistake. It means the prototype is a prototype.
The pattern in the data is specific and useful: AI code generators are competent at code that works and unreliable at controls that require system-wide intent. That is not a flaw you fix with a better prompt. It is a set of nine gaps you close deliberately before launch.
Why AI builders fail in one predictable direction
The failure mode is structural, and the Cloud Security Alliance states it plainly. Language models produce code by predicting plausible continuations of patterns in their training data. They do not reliably reason about threat models, do not consistently apply authorization logic across multi-role systems, and do not anticipate how a code path behaves under adversarial conditions.
That predicts exactly which controls break. Row-level database policies, API authentication middleware and cross-service authorization checks all require explicit, system-wide intent. They are the controls AI generators handle worst, and they are also the ones invisible to a founder without a security background.
The evidence supports the prediction rather than the panic. A December 2025 CSO Online study built identical applications with Claude Code, OpenAI Codex, Cursor, Replit and Devin from standardised prompts, and found 69 vulnerabilities across 15 generated applications. The most common critical class was API authorization logic failures and broken business logic. The same study found zero exploitable SQL injection or cross-site scripting in the agentic tools, in contrast with higher rates in direct model testing.
That contrast is the most useful finding in the whole literature. Modern tools have learned to avoid classic injection patterns. They have not learned your permission model, because your permission model is not in their training data.
The evidence, by study
| Study | Scope | Headline finding |
|---|---|---|
| Veracode 2025 GenAI Code Security Report | 100+ LLMs, 80 tasks, Java, Python, C#, JavaScript | 45% of samples failed OWASP Top 10 tests; Java 72%; only 12-13% of XSS-prone code secure |
| Checkmarx, Security in vibe coding | Multiple developer assistants | Up to 70% of AI-generated code insecure |
| CSO Online, December 2025 | Claude Code, Codex, Cursor, Replit, Devin; 15 apps | 69 vulnerabilities; authorization logic the top critical class; no exploitable SQLi or XSS |
| CSA, July 2025 | AI-generated code solutions | 62% contain design flaws or known vulnerabilities, even on latest models |
| Package hallucination study, March 2025 | 576,000 samples, 16 LLMs | 19.7% of suggested dependencies do not exist; 43% of fake names recur consistently |
| Cybernews | 38,630 Android apps with AI features | 197,092 hardcoded secrets, present in 72% of apps analysed |
| CovertLabs, January 2026 | 198 iOS AI applications | 196 of them, 98.9%, had misconfigurations exposing data |
Veracode's other result deserves attention from anyone waiting for the next model to fix this: security performance stayed largely flat across successive model generations. Capability improved. Security did not follow.
The 9 gaps
| # | Gap | What the evidence shows |
|---|---|---|
| 1 | Database access controls | CVE-2025-48757: 303 vulnerable endpoints across 170 apps in a scan of 1,645 Lovable apps, from missing Supabase row level security |
| 2 | Authorization and business logic | Top critical class in the CSO Online study of 5 agentic tools |
| 3 | Secrets and client-side keys | 197,092 hardcoded secrets across 38,630 Android apps; Lovable embedded the Supabase anonymous key in client-side JavaScript |
| 4 | Dependency provenance | 19.7% of AI-suggested packages are hallucinated; "slopsquatting" registers those names with malicious payloads |
| 5 | Web hardening | Only 12-13% of AI-generated XSS-prone code was secure in Veracode's testing |
| 6 | Automated security gates | Fewer than 25% of developers run software composition analysis on AI suggestions |
| 7 | Change safety over time | Code modified repeatedly by GPT-4o carried 37% more critical vulnerabilities after only 5 iterations |
| 8 | Developer environment | CVE-2025-54135 (CurXecute) executed arbitrary commands via a Cursor MCP server; CVE-2025-53109 exposed file read and write through an MCP filesystem server |
| 9 | Governance and ownership | 72% of respondents to CSA's December 2025 report were not confident they could secure AI systems |
1. Database access controls
This is the single highest-yield fix, and the incident record is unambiguous. CVE-2025-48757 affected applications generated by Lovable that never configured Supabase row level security. Researchers scanning 1,645 Lovable applications found 303 vulnerable endpoints across 170 of them, roughly 10% of the platform's publicly reachable apps. Unauthenticated attackers could read and write arbitrary tables holding personal data, financial records, developer API tokens and admin credentials.
The root cause was not one bad app. Lovable did not implement row level security unless told to, and users did not know to ask.
The same shape recurs. Moltbook, whose founder said publicly he "didn't write a single line of code", exposed 4.75 million records in January 2026, including 1.5 million API tokens and 35,000 email addresses. Chat & Ask AI shipped a Firebase instance with allow read: if true and exposed 406 million records.
Audit this first. It is common, consequential, and quick to detect once someone looks.
2. Authorization and business logic
Authorization is where AI tools stay weakest, because correct authorization depends on facts about your business that exist only in your head. The CSO Online study attributed its top critical findings to exactly this: no intuitive understanding of system-wide intent.
Production work means writing the permission model down as a specification, then testing it adversarially by role rather than trusting that generated middleware does what its function name suggests.
3. Secrets and client-side keys
Assume secrets are hardcoded until a scan says otherwise. Cybernews found 197,092 unique hardcoded secrets across 38,630 AI-enabled Android applications, present in 72% of them. The CSA note recommends treating their presence as the default assumption pending scan results, with particular attention to client-side code that ships backend keys inside a browser bundle or mobile binary.
4. Dependency provenance
The supply-chain risk here is new and specific. A March 2025 study of 576,000 generated Python and JavaScript samples across 16 models found 19.7% of suggested package dependencies were hallucinated. Open-source models hallucinated at roughly 22%, commercial models at about 5%. Crucially, 43% of the fake names recurred across queries, which makes them predictable enough to squat.
Seth Larson of the Python Software Foundation named the resulting attack slopsquatting: register the commonly hallucinated names in PyPI or npm, wait. The Cloud Security Alliance notes no confirmed exploitation at scale has been publicly documented yet, and that every precondition is in place. Verify that a suggested package exists before accepting it, and generate a software bill of materials.
5. Web hardening
Veracode's cross-site scripting result is the sharpest number in the set: only 12-13% of AI-generated code written for XSS-prone tasks was secure, an 86% failure rate for that class. Security headers, CSRF defence and output encoding are the kind of cross-cutting concern a generator skips because no single prompt asked for them.
6. Automated security gates
The fix that scales is not more human review. It is treating AI-generated code as unverified input and making static application security testing and software composition analysis mandatory CI gates rather than optional steps. Fewer than 25% of developers currently run composition analysis on AI suggestions, and around 80% told Snyk they had bypassed security policy at some point in an AI-assisted workflow.
The Cloud Security Alliance is direct about why tooling beats review: organisations will accumulate AI-generated security debt faster than they can build the human capacity to review it.
7. Change safety over time
A degradation study cited in the CSA note asked GPT-4o to modify code up to 40 times in succession. After only 5 iterations the codebase carried 37% more critical vulnerabilities than the first output. Each revision is a fresh chance to quietly drop security-relevant logic, and nobody sees it happen in isolation.
This is why "just keep prompting until the bug goes away" is a strategy with a half-life. Our note on AI agent evals in CI/CD and silent failures covers catching this class of drift.
8. Developer environment
The tools themselves are attack surface. CVE-2025-54135, CurXecute, let an attacker instruct Cursor to run arbitrary commands on a developer machine through a connected Model Context Protocol server. CVE-2025-53109 exposed arbitrary file read and write via an MCP filesystem server, with advertised access restrictions failing to work as documented, disclosed by Cymulate as part of a coordinated advisory. Neither touches your deployed app. Both put your laptop and your credentials in scope. Teams running MCP in anger should read our MCP server hardening guide and the shell injection hardening notes for AI coding agents.
9. Governance and ownership
CSA's December 2025 governance report found 72% of respondents were not confident they could secure AI systems, and identified governance as the strongest predictor of readiness. The practical version for a founder is smaller than it sounds: know which parts of your codebase were generated, treat those as a distinct asset class, and answer the question before an enterprise buyer's security questionnaire asks it.
Prototype against production, honestly
| Dimension | What an AI builder gives you | What production needs |
|---|---|---|
| Speed to working demo | Hours, and it genuinely works | Unchanged; keep the speed |
| Access control | Default-open unless prompted; the RLS pattern behind CVE-2025-48757 | Explicit policies, tested per role |
| Secrets | Frequently embedded, including client-side | Vault or platform secret store, scanned in CI |
| Dependencies | About 1 in 5 suggestions may not exist | Verified, pinned, SBOM generated |
| Security testing | Absent unless you add it | SAST and SCA as blocking CI gates |
| Change safety | Degrades measurably across iterations | Tests that fail loudly when logic drifts |
| Ownership | Code nobody on the team has read | Someone accountable who understands it |
Vibe coding debt has a plain definition worth keeping: the code works, you do not fully understand why, and when it breaks at 02:00 you are debugging logic you never wrote.
The honest advice is not to stop using these tools. A quarter of Y Combinator's Winter 2025 batch had codebases that were 95% or more AI-generated, and Claude Code alone accounted for more than 4% of all GitHub commits by early 2026. This is how software gets started now. The discipline is in what happens between the demo and the first real customer.
India-specific considerations
For Indian teams, the deadline is regulatory as well as commercial. The Digital Personal Data Protection Act, 2023 and the DPDP Rules notified in November 2025 run on an 18-month phased compliance timeline, which puts full obligations on consent, notice, security safeguards and data-principal rights in May 2027. A prototype with a default-open database is a personal data breach waiting for a date stamp, and breach notification under the framework requires telling affected people in plain language what happened.
The gap-1 and gap-3 fixes, database access controls and secret hygiene, are the two that most directly decide whether an incident becomes a notification. Teams weighing what compliance actually costs can start with our DPDP compliance cost breakdown for Indian startups.
How we approach a prototype-to-production rescue
eCorpIT was founded in 2021 and works from Gurugram as a CMMI Level 5, MSME-certified organisation, with partnerships across AWS, Microsoft, Google, Shopify and Kaspersky. Our senior engineering teams take AI-built prototypes into production, and the sequence below is the one the evidence supports rather than a menu.
We start with a read-only audit against the nine gaps, weighted toward access control and secrets, because those two produce the incidents. We write the permission model down as a specification before touching code, since that is the artefact the generator never had. We put SAST, SCA and secret scanning into CI as blocking gates, so the control does not depend on anyone remembering. We keep what works: generated code that passes review stays, because rewriting working software to feel better about its provenance is a waste of your runway.
We design applications aligned with DPDP requirements and the relevant OWASP and NIST guidance, including NIST SP 800-218A for generative-AI-assisted development. Related work sits in our SaaS MVP development service and our QA and test automation service.
The engagement model is deliberately staged: audit first, fixed scope, then a hardening phase sized to what the audit finds. We do not quote a rebuild before reading the code, because most prototypes do not need one.
FAQ
Is AI-generated code actually less secure than human-written code?
Measured rates vary by methodology. Veracode found 45% of samples failed OWASP Top 10 tests, Checkmarx put it as high as 70%, and the Cloud Security Alliance found 62% contained design flaws in July 2025. The consistent finding is not uniform weakness but specific failure modes, concentrated in authorization and access control.
Which single fix gives the most protection?
Database access controls. CVE-2025-48757 exposed 303 endpoints across 170 Lovable applications through missing Supabase row level security, and the Moltbook and Chat & Ask AI incidents repeated the pattern. The Cloud Security Alliance notes this class is common, consequential, and technically straightforward to detect and fix once someone looks for it.
What is slopsquatting?
A supply-chain attack named by Seth Larson of the Python Software Foundation. Because roughly 19.7% of AI-suggested dependencies do not exist and 43% of those fake names recur predictably, an attacker can register the common ones in PyPI or npm with malicious payloads and wait for developers to install them.
Will newer models fix this on their own?
Veracode found security performance stayed largely flat across successive model generations, so capability gains have not translated into safer output. Agentic tools have improved on classic injection flaws, with the December 2025 CSO Online study finding no exploitable SQL injection or cross-site scripting, while authorization logic remained the persistent weak point.
Does prompting the AI to write secure code help?
Somewhat. The OpenSSF guide recommends explicit security prompting, including parameterised queries, input validation and least-privilege patterns, and endorses recursive criticism and improvement, where the model reviews its own output, citing measurable gains within two revision cycles. It supplements automated gates rather than replacing them.
Does the code get worse the more I iterate on it?
The evidence points that way. A degradation study cited by the Cloud Security Alliance asked GPT-4o to modify code up to 40 times, and after only 5 iterations the result held 37% more critical vulnerabilities than the first version. Each revision risks silently dropping security-relevant logic that nobody notices in isolation.
Are the AI coding tools themselves a risk?
Yes, separately from the code they write. CVE-2025-54135, called CurXecute, allowed arbitrary command execution on a developer machine through a Cursor Model Context Protocol server. CVE-2025-53109 exposed file read and write via an MCP filesystem server whose stated access restrictions did not work as documented.
Do we have to rebuild the prototype from scratch?
Usually not. The failure modes are characterisable rather than diffuse, which means an audit targeting access control, secrets, dependencies and authorization finds most of the risk. Generated code that passes review is fine to keep. Rewriting software that works, purely because a model produced it, spends runway without reducing exposure.
How eCorpIT can help
eCorpIT takes AI-built prototypes to production for founders and product teams, starting with a read-only audit against the nine gaps above rather than a rebuild quote. Our senior engineering teams write the permission model your generator never had, put security testing into CI as a blocking gate, and design applications aligned with DPDP and NIST SP 800-218A requirements. We keep the code that works and fix the controls that do not. If you have a working prototype and a first enterprise customer asking security questions, talk to us.
References
- Vibe coding security debt: AI-generated vulnerabilities at scale - Cloud Security Alliance AI Safety Initiative, 6 April 2026.
- 2025 GenAI Code Security Report - Veracode.
- Understanding security risks in AI-generated code - Cloud Security Alliance, 9 July 2025.
- Security in vibe coding - Checkmarx.
- Output from vibe coding tools prone to critical security flaws, study finds - CSO Online, December 2025.
- CVE-2025-48757: Lovable's row level security breakdown exposes sensitive data across hundreds of projects - SecurityOnline, May 2025.
- AI-hallucinated code dependencies become new supply chain risk - BleepingComputer, March 2025.
- AI-generated code vulnerabilities are tracked by Georgia Tech - Infosecurity Magazine, March 2026.
- Security-focused guide for AI code assistant instructions - OpenSSF Best Practices Working Group, 1 August 2025.
- Secure software development practices for generative AI and dual-use foundation models: NIST SP 800-218A - NIST, 26 July 2024.
- Every AI app data breach: 2025-2026 - Barrack AI. Compilation covering the Moltbook, Chat & Ask AI, CovertLabs and Cybernews findings.
- Critical vulnerability in Base44 authentication - Wiz Research, 29 July 2025.
- CVE-2025-53109 / CVE-2025-53110: EscapeRoute, Anthropic MCP filesystem server sandbox escape - Cymulate Research Team.
- What is vibe coding and what security risks does it bring? - Kaspersky.
- Securing vibe coding tools - Palo Alto Networks Unit 42.
- The state of AI security and governance - Cloud Security Alliance, December 2025.
- Vibe coding and the Tea app breach: why security can't be an afterthought - Barracuda Networks, 22 December 2025.
- Government notifies DPDP Rules to empower citizens and protect privacy - Press Information Bureau, MeitY, 14 November 2025.
Last updated: 17 July 2026.
Top comments (0)