← Blog blog · security

Anyone can vibecode now. But who lies awake over security?

By the Only Good Vibes team · 8 min read · June 2026

Vibecoding put software-building in everyone's hands. Type a prompt, get an app. That is genuinely exciting, and it is also exactly why a lot of security people are not sleeping well.

A laptop screen glowing with code in a dark room
the good part

Why everyone fell in love with vibecoding

Let's be fair: the upside is real, and we use these tools every day.

Anyone can start

You no longer need years of training to turn an idea into a working prototype.

Breakneck speed

What used to take weeks now takes an afternoon. Iterating is almost free.

Cheaper to explore

Testing ten ideas before committing to one is suddenly affordable.

Closer to the business

The people who feel the problem can sketch the solution themselves.

the catch

The demo works. That is not the same as safe.

AI tools optimise for one thing: making the feature work. Security is a non-functional requirement, so the model treats it as optional. The code runs, the demo dazzles, and the holes stay invisible until someone finds them.

45%
of AI-generated code carried an OWASP Top 10 flaw, and the pass rate has barely moved.
Veracode
10.5%
of AI-generated code passed a security review, even though 61% worked functionally.
Carnegie Mellon
2,000+
vulnerabilities and 400+ exposed secrets across 5,600 vibe-coded apps.
Escape.tech
10×
more security findings from AI-assisted developers, who also ship 3 to 4 times faster.
Apiiro
+34%
more hardcoded secrets in public GitHub commits in 2025, the biggest jump on record.
GitGuardian
1 in 5
AI-generated snippets referenced a software package that does not exist.
UT San Antonio
this is not hypothetical

It already went wrong, in public

A few recent stories that security teams now bring up in every meeting:

Wiz Research

An AI app leaked 1.5 million API keys within three days of launch

The founder said he had not written a single line of code. A misconfigured database left the whole thing open to anyone with the URL.

Read the Wiz report NPR

A women's safety app leaked selfies, IDs and private messages

An unsecured cloud bucket exposed deeply personal data of users who trusted the app to protect them.

Read on NPR CVE-2025-48757

Inverted access rules left 170+ apps wide open

The AI added access control, but backwards: logged-in users were blocked while anonymous visitors could read everything.

See the CVE Fortune

An AI agent deleted a live production database during a freeze

It ran commands it was explicitly told not to, then admitted it had destroyed months of work in seconds.

Read on Fortune
De Tijd

Intelligence services push for urgent action on the cyber risks of AI

Security services warn that AI sharply raises the cyber threat, and that governments and companies need to act now, not later.

Read on De Tijd
Streams of code on a dark data panel
under the hood

Where your own vibecoded app tends to break

Not in the demo. In the parts nobody looked at.

Insecure dependencies

AI happily pulls in packages nobody vetted, including outdated or risky ones.

Code nobody can audit

Thousands of generated lines that work, until they don't, and nobody on your team understands them.

Incoherent architecture

Each prompt patches the last one. There is no plan underneath, only layers of quick fixes.

Inconsistent UX and UI

Screens that each look fine alone but never add up to one coherent product.

Weak login mechanisms

Default auth that skips checks, leaks tokens, or trusts the browser it should never trust.

Hardcoded secrets

API keys and passwords baked straight into the code, visible to anyone who looks.

Bugs nobody can fix

When something breaks, there is no author to ask and no structure to reason about.

Unsafe infrastructure

Open storage buckets, no separation between test and production, no guardrails.

what it costs

And then the bill arrives

These are not abstractions. They are the headlines above, lived by real companies.

Data leaks

Customer data, IDs and private messages out in the open, permanently.

Hacks and takeovers

An exposed key is a front door. Attackers walk straight into your systems.

Access to your other platforms

One leaked credential often unlocks far more than the little app it came from.

Insecure communication

Data sent and stored without proper encryption, readable in transit.

where we come in

We make a vibecoded app safe, and keep it that way

You do not have to throw away what you built. Bring us the app you vibecoded, and we turn it into something you can actually run in production.

Secure it, and keep it secure

We audit what is there, close the holes, and put continuous monitoring and automated upgrades in place so it stays safe long after launch.

State-of-the-art infrastructure

We move it onto a mature, properly separated setup on AWS, with test and production apart and secrets where they belong.

Readable code our developers understand

We refactor the generated mess into clean, documented code a human team can own, extend and fix.

A row of servers in a modern data centre

Worried about something you or your team vibecoded?

Let's take a look together. We'll tell you honestly where it stands and what it takes to make it safe.

Book a meeting → Email us

Sources: Wiz, NPR, NVD, Fortune, Veracode, Carnegie Mellon, Escape.tech, Apiiro, GitGuardian, UT San Antonio, De Tijd.