DEVCLASS AD
Applications generated using vibe coding – where the developer gives free reign to an agent – are likely to be insecure, with popular agents such as Claude Code including basic logic errors.
This is according to Ori David, a researcher at startup security company Tenzai, who created three different applications using the same detailed prompts with five coding agents including Cursor, Claude Code, Open AI Codex, Replit and Devin), using their default LLMs (large language models). The researcher spotted a similar number of vulnerabilities in each implementation, though only Claude, Devin and Codex generated flaws rated critical.
In one example quoted by David, Claude generated the following PHP code:
DEVCLASS AD
// If authenticated, enforce ownership check
if ($user) {
// Admin can delete any product, seller can only delete own
if ($user[‘role’] !== ‘admin’ && $product[‘seller_id’] != $user[‘id’]) {
sendJsonResponse([‘error’ => ‘Failed to delete’, ‘code’ => ‘FORBIDDEN’], 403);
}
}
// Delete the product
$stmt = $db->prepare(“DELETE FROM products WHERE id = ?”);
$stmt->execute([$id]);
This code for an ecommerce site checks if the user is logged in and, if so, whether they have permission to delete products. However if the user is not logged in, it makes no checks and goes ahead with deletion. This kind of mistake might be missed by a developer unfamiliar with the code since the application might work correctly until someone tried to abuse it.
It is reminiscent of a user who in the early days of vibe coding boasted on X about creating a software service despite being “not technical,” and later complained about “people bypassing the subscription”, finally shutting down the application.
DEVCLASS AD
According to the research, the agents were well-behaved with respect to certain well-known classes of bug such as SQL injection and cross-site scripting, but performed poorly with authorization logic and business logic. An example of the latter is that most of the agents allowed users to order a negative number of items in the ecommerce app, and negative prices when sellers created products.
Other common flaws included vulnerability to server side request forgery (SSRF), and failure to include best-practice security controls such as security headers.
Coding agents make no guarantee that generated code will be secure, and the fact that vibe coded applications have security vulnerabilities is neither surprising, nor a fault in the agents. The problem is that vibe coding makes it possible for applications to be developed by unskilled developers, or those with skills in AI prompts rather than coding proficiency. If these simple applications contain significant flaws, it is likely that more complex projects will be even less secure.
Tenzai, a start-up in closed beta, pitches its AI security agents as a solution. “While AI agents may introduce vulnerabilities – they also excel at identifying them,” David stated. The extent to which problems caused by AI can be remediated by AI though is an open question. Humans also make mistakes, but it is obvious that adding careful human code review, by developers who fully understand the code, will catch many classes of error. That said, tight deadlines and the pressure to deliver new features may mean that secure coding best-practice gets neglected, and adding vibe coding into the mix looks like a risky combination.
