45% of AI-Generated Code Has Vulnerabilities: How to Audit Vibe-Coded Projects

A study found that AI-generated code is 1.7x more likely to have major issues and 2.74x more prone to security vulnerabilities than human-written code. If you've built anything with Cursor, Claude Code, or GitHub Copilot, your project likely has at least one of the five most common security holes. Here's what they are and how to find them.

Why AI Code Is Vulnerable

AI coding tools optimize for "does it work?" not "is it secure?" When you ask Cursor to "add user authentication," it generates code that authenticates users. It doesn't automatically add rate limiting, input sanitization, CSRF protection, or secure session management — because you didn't ask for those things.

The AI writes exactly what you describe. Security requires describing things you don't naturally think about — edge cases, malicious inputs, unauthorized access patterns. If it's not in your prompt, it's not in your code.

The 5 Most Common Vulnerabilities

1. API Keys Hardcoded in Frontend Code. AI frequently places API keys directly in client-side JavaScript or React components. Anyone can open browser DevTools and see them. Fix: Move all keys to environment variables (.env files) and access them server-side only. Time: 15 minutes.

2. No Row-Level Security on Databases. If you're using Supabase (common in vibe coding), AI-generated code often gives every authenticated user access to every other user's data. Fix: Enable Row Level Security and add per-user policies. Time: 30 minutes.

3. No Server-Side Input Validation. Forms accept anything — scripts, oversized payloads, SQL injection attempts. The AI adds client-side validation (which users can bypass) but skips server-side validation. Fix: Add Zod schemas or similar validation on every API endpoint. Time: 30 minutes per endpoint.

4. No Rate Limiting. Anyone can hit your API 1,000 times per second. No throttling, no protection against abuse. Fix: Add rate limiting through Upstash Redis or similar. Time: 20 minutes.

5. Unprotected Routes. Dashboard pages, admin panels, and user data endpoints load without checking if the user is logged in. Fix: Add authentication middleware to every protected route. Time: 15 minutes.

How to Audit Your Project

Run through this checklist for any project built with AI coding tools:

Search your entire codebase for hardcoded keys. Run: grep -r "sk-" . && grep -r "api_key" . && grep -r "secret" . in your project directory. Any matches in frontend files are critical vulnerabilities.

Check every API endpoint for input validation. Open each API route file. If it directly uses req.body without validation, it's vulnerable.

Verify database security. If using Supabase, check the Authentication → Policies tab. If there are no RLS policies, every user can see every other user's data.

Test authentication on every page. Open your browser in incognito mode (not logged in) and navigate to every page in your app. If any dashboard or user-specific page loads, that route is unprotected.

Check for rate limiting. Try hitting your API endpoint 100 times in rapid succession using a simple script. If all 100 succeed, you have no rate limiting.

For a complete security checklist, see our full guide to securing vibe-coded apps. For the most common mistakes and their fixes, read 5 security mistakes every vibe coder makes.

The Mindset Shift

AI writes code that works. You need to ensure the code is safe. These are two different skills. Every prompt to an AI coding tool should include security requirements alongside functional requirements. "Add user authentication with rate limiting, input validation, and protected routes" produces dramatically more secure code than "add user authentication."

Our Prompt Optimizer can help you add these security specifications to any coding prompt automatically.

Disclosure: Some links in this article are affiliate links. We only recommend tools we've personally tested and use regularly. See our full disclosure policy.