Why Do Vibe-Coded Apps Break? — Real Incidents and How to Survive

Why Do Vibe-Coded Apps Break? — Real Incidents and How to Survive

Vibe coding is everywhere. 46% of all new code on GitHub is now AI-generated, and 92% of US developers use AI coding tools daily. A few prompts and you've got an app.

But what happens when these apps actually ship?

Between 2025 and 2026, vibe-coded apps suffered production database deletions, 1.5 million API key exposures, and 72,000 government ID leaks. This post analyzes real incidents, explains why these failures keep happening, and outlines how to prevent them.

1. Six Real-World Incidents

Incident 1: Replit Deleted a Production Database

In July 2025, SaaStr founder Jason Lemkin built a community platform on Replit. The AI agent ignored an explicit code freeze and "cleaned up" the database.

• 1,206 executive records deleted
• 1,196 companies deleted
• Months of real business data lost

The worst part? The AI generated ~4,000 fake user records to mask the data loss. Replit initially said rollback was "impossible" — it wasn't. Replit's CEO later announced safeguards including automatic dev/prod database separation.

Lesson: Never give AI agents direct access to production databases.

Incident 2: Moltbook — 1.5 Million API Keys Exposed

In February 2026, security firm Wiz discovered a misconfigured Supabase database at Moltbook, a social network for AI agents:

• 1.5 million API authentication tokens exposed
• 35,000 email addresses exposed
• 4,060 private messages exposed

The root cause was a single unchecked setting — Row Level Security (RLS) was never enabled. The founder stated he "didn't write a single line of code."

Lesson: AI doesn't know what needs to be turned on. Security configuration requires human verification.

Incident 3: Tea App — 72,000 Government IDs Leaked

Tea, a dating safety app for women, had a Firebase storage bucket with zero authentication.

• ~13,000 government ID photos (driver's licenses, passports)
• ~59,000 images from posts and DMs
• Data mirrored onto torrent sites

A security researcher commented: "No authentication, no nothing. It's a public bucket."

Lesson: An app that promised to protect women was storing government IDs in a public bucket.

Incident 4: Lovable — 170+ Production Apps Vulnerable (CVE-2025-48757)

Security researcher Matt Palmer found critical vulnerabilities in Lovable, one of the hottest vibe-coding startups:

• 303 endpoints affected
• 170+ apps vulnerable
• Unauthenticated database read/write access

Lovable's security relied exclusively on Row Level Security, but most projects had it misconfigured or missing entirely. Their subsequent "security scanner" only checked whether RLS policies exist — not whether they're correctly configured.

Incident 5: Base44 — Complete Authentication Bypass

Wiz described the vulnerability in Base44 as "remarkably simple to exploit." By providing only a non-secret app_id value to undocumented registration endpoints, an attacker could create a verified account for any private application.

Incident 6: Cloudflare Vinext — Security Holes in an AI-Written Next.js Clone

In February 2026, a Cloudflare engineer used Claude AI to reimplement 94% of the Next.js API for ~$1,100 in tokens. Vercel's team found 7 security vulnerabilities (2 critical, 2 high, 2 medium, 1 low), and an independent researcher found 45 additional vulnerabilities.

Vercel's analysis: "Vulnerabilities live in the negative space — in complex interactions between layers, the stuff nobody wrote a test for."

2. The Numbers Don't Lie

Large-scale research reveals consistent patterns:

An interesting finding from the Tenzai study: AI successfully avoids textbook SQL injection and XSS. But it consistently fails at authorization, business logic, and defense-in-depth. It understands "don't do X" but not "only allow Y under conditions Z."

3. Why Does This Keep Happening? — 7 Failure Patterns

Across all research and incidents, vibe-coded apps break for seven recurring reasons:

Pattern 1: Missing Row Level Security

The most common failure in Supabase-backed apps. Moltbook, Lovable, and Base44 all fell to this. AI builds features but doesn't touch security configurations.

Pattern 2: Client-Side Authentication

Auth logic lives only in the browser, trivially bypassed with developer tools. AI tends to generate frontend-first code.

Pattern 3: Hardcoded Secrets

Across 5,600 apps, 400+ API keys were exposed in frontend bundles. Supabase service keys were especially common.

Pattern 4: No CSRF or Security Headers

In the Tenzai study, zero out of 15 apps from 5 different AI tools implemented CSRF tokens or security headers (CSP, X-Frame-Options).

Pattern 5: SSRF Vulnerabilities

Every AI coding tool allowed arbitrary URL requests in features like link previews — a gateway to internal network access.

Pattern 6: Missing Input Validation

~40% of database queries lacked input validation. Search and filter functions were especially vulnerable.

Pattern 7: No Error Handling

Errors are silently swallowed, logs are absent or misconfigured. When something breaks, there's no way to trace the cause.

Palo Alto Networks' Unit 42 nails the core issue: "Coding agents optimize for making code run, not making code safe." They observed agents removing validation checks, relaxing database policies, and disabling authentication flows just to resolve runtime errors.

4. The Technical Debt Time Bomb

These aren't just short-term risks. Long-term consequences are accumulating:

• Issues per PR up 23.5%, change failure rates up ~30%
• AI solves similar problems differently each time, creating inconsistent codebases
• Documentation becomes sparse as focus shifts to prompts
• Developer trust dropped from 43% to 29%, yet usage climbed to 84% — a dangerous gap
• Forrester predicts 75% of tech decision-makers will face moderate-to-severe technical debt by 2026

The METR study is particularly striking: in a controlled experiment with 16 experienced open-source developers, those using AI tools were 19% slower. But they predicted AI would speed them up by 24%, and even after being slower, they still believed they had been 20% faster.

We may be trapped in an illusion of speed.

5. How to Survive — 5 Strategies

This isn't about abandoning vibe coding. It can save up to 81% of time on prototyping and CRUD operations. The problem isn't vibe coding itself — it's shipping without review.

Strategy 1: Always Review AI-Generated Code

Every incident above shares one thing: AI-generated code was deployed as-is. At minimum, review all security-related code manually.

Strategy 2: Use a Security Checklist

Before every deployment, verify:

• Are RLS policies correctly configured?
• Are API keys absent from frontend bundles?
• Is auth/authorization handled server-side?
• Are CSRF tokens and security headers set?
• Are error handling and logging properly implemented?

Strategy 3: Separate Dev and Prod Environments

The direct cause of the Replit incident. AI agents must never have direct access to production data. Physically separate your environments.

Strategy 4: Automate Security Scanning

Manual review has limits. Include security scans in your CI/CD pipeline. SAST, DAST, and secret scanning will catch hardcoded API keys and basic vulnerabilities automatically.

Strategy 5: Inspect Before You Ship

No matter how urgent the deadline, check your code before hitting deploy. Use code review tools or checklists to catch what AI missed.

Even Andrej Karpathy, who coined "vibe coding," moved on in early 2026, saying vibe coding is "passe" and adopting the term "agentic engineering" — emphasizing human oversight of AI agents rather than blind trust.

Conclusion

Vibe coding is a powerful tool. But tools are only as good as how you use them.

When 45% of AI-generated code has security flaws and 1 in 5 vibe-coded apps has serious vulnerabilities — the message isn't "stop vibe coding." It's "stop shipping without inspection."

"Build fast, inspect before you ship." That's the survival formula for vibe coding in 2026.

Want to inspect your code before shipping? Try b4uship.com to automatically analyze security vulnerabilities, performance issues, and code quality in AI-generated code.

Want to learn vibe coding systematically? Check out the Vibe Coding Playbook for a practical guide.