AI coding tools optimize for code that runs, not code that's safe. Large-scale scans of AI-built applications have repeatedly found that most of them ship with at least one critical vulnerability, and that a striking share leak secrets straight to the browser. These are the seven holes we find most often.
1. Secrets in client-side code
API keys, database URLs and third-party tokens hardcoded into the frontend bundle, where anyone can read them with “View Source.” Often the single most damaging issue, and one of the most common.
2. Missing authentication on endpoints
The UI hides a button, so it feels protected — but the underlying API has no auth check. Anyone who finds the endpoint can call it directly.
3. No input validation (injection & XSS)
User input flows into database queries or the page unchecked, opening the door to SQL/NoSQL injection and cross-site scripting. Generated code rarely sanitizes by default.
4. Broken access control (IDOR)
Endpoints that trust an ID from the request without checking it belongs to the logged-in user — so changing /orders/123 to /orders/124 shows someone else's data.
5. No rate limiting
Login, signup, and expensive endpoints with no throttling — wide open to brute-force, scraping, and cost-amplification attacks.
6. Missing CSRF protection
State-changing requests with no CSRF defense, letting a malicious page act on behalf of a logged-in user.
7. Verbose errors and exposed debug info
Stack traces, internal paths, and debug endpoints left on in production — a free map of your system for an attacker.
How to tell if your app is affected
You can't, just by using it — every one of these is invisible to a normal user, which is exactly why they survive to launch. The only reliable way to know is a security review: someone reading the code and probing the endpoints the way an attacker would. The good news is the same flaws that are easy for AI to create are well-understood to fix.
Built something with AI and not sure it's safe to launch? IOTA audits, secures and ships vibe-coded apps to production — fixed prices, starting with a $490 audit. See how the rescue works →