Study of 1,430 AI-built apps finds 73% have critical security flaws

Feb 2026

A VibeEval scan of 1,430 applications built with AI coding tools found 5,711 security vulnerabilities, with 73% of apps containing at least one critical flaw. The analysis revealed 89% of scanned apps were missing basic security headers, 67% exposed API endpoints or secrets in client-side code, and 23% had JWT authentication bypasses. Apps generated via Replit had roughly twice the vulnerability count compared to those deployed on Vercel. The findings provide large-scale empirical evidence that vibe-coded applications routinely ship with fundamental security gaps.

Incident Details

Perpetrator:Developer

Severity:Facepalm

Blast Radius:Industry-wide data point covering 1,430 AI-built apps; exposes systemic security gaps in vibe-coded software affecting end users and businesses relying on AI-generated application code

Tech Stack

AI coding assistantsReplitVercelLLM code generation

References

VibeEval: Security analysis of AI-generated applications ↗Netlas.io blog: How secure is vibe-coded software? ↗AppSec Santa: VibeEval study on AI app vulnerabilities ↗