#vibe code

Feed wouldn't refresh. So I clicked on my own account - oopsie not enough resources!

So I close the app and re-open it - oopsie whole thing broken!

AI tools can get you from idea to working app in a weekend. They can also get you from a working app to a security disaster in the same timeframe. Here’s what you actually need to know.

In February 2026, a founder built an entire social network — Moltbook — without writing a single line of code. He said so publicly, as a point of pride. Vibe coding tools did everything. The app worked. Users showed up.

Then, security researchers found that 1.5 million user credentials had been sitting wide open on the internet since launch. Not because of a sophisticated hack. Because the AI scaffolded the database with public read and write access, and nobody reviewed it before shipping.

That story is not a warning to stop using vibe coding. It is a lesson in where the line is. And in 2026, most founders have not found the line yet.

What vibe coding actually is

Vibe coding is using AI tools like Cursor, Lovable, Claude Code, Bolt, or Replit to generate entire applications from natural language descriptions. You describe what you want. The AI writes the code. You ship it.

The term was coined by Andrej Karpathy — former OpenAI founding member and Tesla AI director — in early 2025. By 2026, 92% of US developers will use some form of AI coding assistance daily. Non-technical founders are building and shipping full products without engineering backgrounds. The speed is real, and the tools are genuinely good.

The problem is not the tools. The problem is a workflow that treats “does it work” as the finish line when the actual finish line is “does it work safely at scale with real user data.”

The data that should change how you think about this

Veracode analysed 4 million code scans and found security flaws in 45% of AI-generated code

Escape. tech scanned 5,600 vibe-coded apps and found 2,000+ vulnerabilities, 400+ exposed API keys, and 175 PII leaks

CodeRabbit found that AI-co-authored code has 2.74x more security issues than human-written code

Beesoul audited apps built with Lovable and found 70% had row-level security disabled on their databases

Georgia Tech’s Vibe Security Radar: 6 CVEs from AI code in January, 35 in March 2026 — and growing

53% of organisations have found security issues in AI-generated code that passed their initial review

These are not edge cases. This is the baseline state of most vibe-coded apps in production right now.

Why it happens — and why it is not the AI’s fault

AI code generators optimise for one thing: making the feature work. They do not know whether they are building a prototype or a production system. They do not understand the difference between “good enough for testing” and “good enough for real users.”

The result is a specific, repeatable set of failures:

Row-level security was left off on database tables — any user can read any other user’s data

API keys and credentials are hardcoded in source files instead of environment variables

Security logic is placed in the browser (where users can bypass it) instead of the server

Webhook verification missing — anyone can fake a payment confirmation

No soft deletes — deleted records are gone, including audit trails

Vibecoding doesn’t remove existing security controls. It pushes more code through them, faster, exposing where review and policy are late, manual, or disconnected. — Trend Micro, March 2026

The person shipping the app often cannot spot these issues because they did not write the code and cannot read it fluently. That is not a character flaw. It is a comprehension gap that the AI cannot close for you.

The vibe coding hangover

There is a phrase circulating in engineering circles: the vibe coding hangover. It describes what happens when you try to scale or maintain an AI-generated codebase that technically works but architecturally makes no sense.

GitClear data shows code duplication has quadrupled since 2021, while refactoring volume has dropped 60%. Every vibe-coded feature stacked on top of the last inherits and amplifies whatever security assumptions existed in the original. The technical debt is invisible until something breaks, and by then, fixing it costs far more than preventing it would have.

A production bug at a small startup costs between $8,000 and $25,000 in engineering time, customer impact, and lost opportunity. A security breach in an app handling user data or payments has no published ceiling.

The sequencing that actually works

The founders winning with vibe coding in 2026 are not abandoning it. They are using it with intention.

Step 1 — Validate fast and cheap.p

Build your hypothesis with AI tools. Move fast. Do not add real user data, payment flows, or sensitive information. Prove that someone wants what you are building. At this stage, moving fast is correct, and the risk is manageable.

Step 2 — Review before real users touch it

The moment real users are involved, a security review is not optional. This does not have to be a formal engagement. It requires someone who knows where vibe-coded apps typically fail to look at authentication configuration, database security policies, secrets management, and API authorisation.

Step 3 — Build the production version properly

The vibe-coded prototype proved the idea. It did not build the product. Architecture that scales, security embedded from the database up, code a developer can read and maintain without reverse-engineering AI output — that is what production requires. Use the learning from validation to inform a proper build.

THE RULE OF THUMB

Vibe coding is for answering: does anyone want this? Professional development is for answering: can we build this in a way that holds up? The first question is worth answering quickly and cheaply. The second question has consequences that do not respond to reprompting.

What to do right now if you’ve already shipped

If you have a vibe-coded app in production with real users, here is where to start:

Check your database security settings. If you used Supabase, Lovable, or similar tools, verify that row-level security is enabled on every table containing user data.

Look for hardcoded secrets. Search your codebase for any API keys, database passwords, or credentials that appear as plain text in source files. Move them to environment variables immediately.

Check where your authorisation logic lives. If security checks exist only in your frontend JavaScript, they can be bypassed. Server-side validation is non-negotiable for anything that matters.

Run a free scanner. Tools like GitGuardian, Semgrep, and Snyk offer free tiers that catch the most common AI-generated vulnerability patterns. Run one this week.

Get a professional review before you scale. If you are raising money, onboarding enterprise clients, or handling payment or health data, a security review is not optional. The cost is always less than the alternative.

If you’ve built something with AI tools and you’re not sure whether it’s production-ready, the most useful thing you can do is get it reviewed before it becomes a problem. GMTA reviews vibe-coded MVPs and rebuilds them for production. Start here.

Built with AI tools. Not sure if it’s production-ready?

GMTA reviews vibe-coded codebases and rebuilds them with proper security, architecture, and scalability. Security from sprint one, not as a patch after the breach.

Vibe coding is a growing trend where developers use large language models (LLMs) to generate functional code by simply describing what they need in plain language. Instead of manually writing every line, they rely on AI to translate natural language into executable code. The term Vibe coding originates from a post on X by Andrej Karpathy, an influential AI expert known for his work at Tesla and…

I just built my 1st website