There are a wide range of purpose-built tools for vibe coding, with some popular options including Cursor, Replit, Lovable, and Claude Code. These tools lower the barrier to entry for software development, accelerate traditional build cycles, and make it easier to prototype and test ideas at speed.
However, due to the limitations of the tools and their training data, AI-generated code can contain hidden flaws and vulnerabilities. With proper security scanning, manual code review, and threat modeling, these risks can be mitigated. In practice, though, some teams are skipping these steps and launching products that are not secure.
As a result, new vibe-coded platforms and services are reaching the market faster than traditional development approaches allowed. When organizations integrate these platforms too quickly and without thorough risk assessment, they increase their exposure to cyber attacks, data breaches, and long-term technical debt.
In this insight we will cover:
- What is vibe coding?
- Why security issues commonly appear in vibe-coded platforms
- The most common vulnerabilities found in AI-generated code
- What to look out for when integrating a new product into your tech stack
- What vibe coding means for modern software risk
What is vibe coding?
Vibe coding is the process of generating code by prompting AI tools in natural language. This is in contrast to traditional coding, where the developer uses a specific coding language to manually write lines of code.
The term was coined in February 2025 by computer scientist Andrej Karpathy, although the practice of using LLMs and other AI tools to assist with and write code has been ongoing for several years.
The initial tweet from Karpathy specifically defined vibe coding as only using natural language and prompts, with no manual editing of the code – “There’s a new kind of coding I call “vibe coding”, where you fully give in to the vibes, embrace exponentials, and forget that the code even exists”.
Since then, the term has evolved to cover a broader range of practices, including projects where AI-generated code is combined with traditional development methods.
Why security issues appear in vibe-coded platforms
Used thoughtfully, vibe coding can be a powerful way to prototype ideas and accelerate internal development. The risk emerges when AI-generated code, or third-party products built using these approaches, is treated as production-ready without the same scrutiny traditionally applied to software security.
There are several issues which lead to security flaws in vibe-coded products:
- Blind trust in the code: Instead of assuming there will be flaws in the AI-generated code, developers may incorrectly trust that the output is correct, and will not thoroughly review it for vulnerabilities.
- Training data bias: LLMs are trained on a bank of existing data, which they learn from to produce their output. If the model is trained on flawed code, it is likely to reproduce these flaws.
- Rushing platform launches: As vibe coding can be significantly quicker than manually writing code, it can be seen as a shortcut to a shorter development process and earlier launch. Developers may be under pressure to keep up with competitors who are rapidly launching vibe-coded products, and overlook flaws.
- Contextual blindness: LLMs produce their output based on pattern recognition, without the understanding of context a human developer has. This can lead to illogical code, with vulnerabilities that the AI doesn’t recognize.
Over time, these shortcuts can also create technical debt, as poorly structured or undocumented AI-generated code becomes harder to maintain, secure, and scale.
Common vulnerabilities in AI-generated code
These security issues often surface in the following ways:
- Injection attacks (SQL injection, XSS, command injection): User input may be inserted directly into queries, pages, or commands without proper protection, allowing attackers to run malicious code.
- Poor input validation: Applications may not properly check user input, making it easier for harmful data to get through.
- Hardcoded secrets: API keys, passwords, or tokens may be written directly into the code, where they can be easily exposed.
- Broken access control: Permissions may be too broad, or admin features left open without proper checks.
- Insecure deserialisation: Unsafe methods for handling data, such as using Python’s pickle module with untrusted input, can allow remote code execution.
- Outdated or vulnerable dependencies: Third-party libraries may be added without checking for known security issues or keeping them up to date.
- Sensitive data exposure: Weak error handling, logging, encryption, or misconfigured CORS settings can expose private data.
- Weak authentication and session handling: Login flows, tokens, or sessions may not be properly secured, increasing the risk of account takeover.
- Insecure default settings: Debug modes, open services, or default credentials may be left enabled in production.
- Lack of security review and testing: Fast development can mean skipping code reviews and security testing, allowing issues to go unnoticed.
What should you look out for when integrating a new product into your tech stack?
For organizations adopting third-party AI-built platforms rather than developing them in-house, these risks can be harder to detect, but no less important to address. When you integrate a new product into your tech stack, you place a high level of trust in the platform and the provider. Platforms that have access to your organisation’s systems and data are particularly vulnerable if the correct security checks and procedures have not been followed by the developer.
It does not automatically follow that if the developers have used AI, the platform is not secure. Many legitimate companies will use AI in their processes, whilst still ensuring all appropriate safeguards are in place.
Common red flags to look out for include:
- Vague or generic product information: Product details and websites that offer broad, general language, but provide little detail on architecture, security controls, or data handling may be masking flaws in the product.
- Limited or unclear security information: If security documentation is missing, superficial, or difficult to obtain, this can indicate that security has not been prioritized.
- Inability to answer technical questions: Providers should be able to clearly explain how their platform works, how data is protected, and how risks are managed. Hesitation or vague answers are a warning sign.
- Unusual or inconsistent user experience: AI-generated platforms can sometimes exhibit strange workflows, unclear logic, or inconsistent behaviour. Poor user experience can be an indicator of limited testing and rushed development.
- Reluctance to offer live demos or trials: A lack of hands-on demonstrations can make it harder to assess usability, reliability, and security controls in practice.
- Unclear update and support processes: If it is not clear how bugs, vulnerabilities, or incidents are handled, or who is responsible for fixing them, this increases operational and security risk.
- Rapid feature expansion with little documentation: Frequent new features without corresponding documentation or release notes can indicate speed is being prioritized over stability and security.
- The product seems too good to be true: Claims of extreme speed, low cost, or full automation with little explanation of how security, reliability, or scalability are handled should prompt closer scrutiny.
There is no one clear way to tell if a platform has been vibe coded, and if this has led to security issues. However, if you are aware of these warning signs, and apply due diligence whenever you add a new product to your tech stack, you can mitigate the risk to your systems and data.
What vibe coding means for modern software risk
Vibe coding is not inherently dangerous. Used thoughtfully, it can lower barriers to innovation, accelerate experimentation, and help teams move faster than ever before. The challenge lies in how quickly trust is granted to AI-generated code and the platforms built on top of it.
As AI-built products continue to enter the market at speed, organizations need to apply the same level of scrutiny they would to any other software.
When software can be created in days rather than months, careful evaluation, clear accountability, and basic security checks remain essential to managing risk and maintaining trust.