What is vibe coding?
Vibe coding is the practice of building entire software applications using AI coding assistants like Cursor, Bolt, Lovable and Replit with minimal or no manual coding. The developer describes what they want in natural language and the AI generates the code. The term emerged in 2025 to describe non-technical founders shipping production applications built entirely by AI.
The concept was popularized by Andrej Karpathy, co-founder of OpenAI, who described the experience of "fully giving in to the vibes" and letting AI write every line of code. Instead of writing functions, debugging logic and architecting systems, the vibe coder describes outcomes: "build me a login page with email verification," "add a Stripe payment flow," "create an admin dashboard with user management."
Vibe coding has democratized software development. People with no programming background are building and launching SaaS products, e-commerce platforms and internal tools in days instead of months. The barrier to entry has effectively disappeared. But the security implications are severe.
How Vibe Coding Works
A typical vibe coding workflow looks like this:
- The developer opens an AI coding tool like Cursor, Bolt or Lovable
- They describe what they want in plain English: "Build a task management app with user accounts, team workspaces and Stripe billing"
- The AI generates the entire application: frontend, backend, database schema and deployment configuration
- The developer reviews the result visually, checking if it looks and behaves correctly
- They iterate with follow-up prompts: "Add dark mode," "Make the sidebar collapsible," "Fix the layout on mobile"
- When satisfied, they deploy to production
Notice what is missing from this workflow: security review, code audit, penetration testing, threat modeling and vulnerability assessment. The developer checks if the application works. Nobody checks if it is secure.
Security Risks of Vibe Coding
Vibe-coded applications share a predictable set of security vulnerabilities. At Sherlock Forensics, we have audited dozens of vibe-coded applications and the same patterns appear consistently:
No Input Validation
AI assistants build forms that accept whatever users submit. There is no server-side validation, no sanitization and no protection against injection attacks. Every user input field becomes a potential entry point for SQL injection, cross-site scripting (XSS) and command injection.
Broken Authentication
Login systems generated by AI often have critical flaws. Common issues include password reset flows that leak valid email addresses, session tokens that never expire, missing brute-force protection and authentication checks that can be bypassed by directly accessing protected URLs.
Exposed Secrets
Vibe coders frequently deploy applications with API keys, database credentials and third-party secrets hardcoded in frontend JavaScript or committed to public repositories. The AI needs these values to make the code functional, and non-technical founders often do not understand the difference between client-side and server-side code.
Missing Access Controls
AI-generated APIs commonly allow users to access or modify resources belonging to other users simply by changing an ID in the URL. This vulnerability, called Insecure Direct Object Reference (IDOR), is one of the most common findings in our audits of AI-built applications.
Unpatched Dependencies
AI assistants install packages to solve problems. They rarely check if those packages are current, maintained or free from known vulnerabilities. Vibe-coded applications frequently ship with dozens of outdated dependencies containing published CVEs.
The Scale of the Problem
Vibe coding is not a fringe trend. In 2026, tools like Cursor have millions of active users. Bolt and Lovable have enabled thousands of non-technical founders to launch production applications. Y Combinator reported that a significant percentage of their recent batch used AI to write the majority of their codebase.
These applications handle real user data, process real payments and store real credentials. When they get breached, real people are harmed. The vibe coder may not understand what a SQL injection is, but their users' data is just as exposed as if the vulnerability existed in code written by a junior developer.
How to Secure a Vibe-Coded Application
If you have built an application through vibe coding, take these steps before launching or as soon as possible if you are already live:
1. Get a professional security audit. A penetration test from Sherlock Forensics identifies every vulnerability in your application and provides specific instructions for fixing each one. Quick audits start at $1,500 CAD and deliver results in 3 to 5 business days.
2. Move all secrets out of your code. API keys, database passwords and third-party credentials should never appear in source code. Use environment variables and a secrets management service. If secrets have been committed to git at any point, rotate them immediately because they are compromised.
3. Add server-side input validation. Every piece of data that comes from a user must be validated on the server. Client-side validation is a user experience feature, not a security control. An attacker can bypass any client-side check.
4. Implement proper authentication. Use established authentication libraries instead of custom implementations. Add rate limiting to login endpoints. Enforce strong password requirements. Implement secure session management with proper token expiration and rotation.
5. Test your access controls. Log in as one user and try to access another user's data by changing IDs in URLs and API requests. If you can see or modify other users' resources, your access controls are broken.
6. Update your dependencies. Run npm audit, pip audit or the equivalent for your technology stack. Update packages with known vulnerabilities. Remove packages you are not using.
Vibe Coding Is Not Going Away
Vibe coding will only accelerate. AI coding tools are getting better, faster and more capable. More people will build more applications with less technical knowledge. This is not inherently bad. Democratizing software creation has enormous positive potential.
But security cannot be an afterthought. The same way you would not open a restaurant without a health inspection, you should not launch a production application without a security audit. The tools make building easy. Making it safe requires professional expertise.
If you are a vibe coder with a live application, get a security audit from Sherlock Forensics. Quick audits start at $1,500 CAD and identify the vulnerabilities that put your users at risk.
People Also Ask
Is vibe coding safe?
Vibe coding is safe for prototyping and learning, but vibe-coded applications should never go to production without a professional security audit. AI assistants generate code with predictable vulnerability patterns including injection flaws, broken authentication and exposed secrets. Sherlock Forensics offers vibe code audits starting at $1,500 CAD to identify and fix these issues before launch.
Can you build a real app with vibe coding?
Yes. People are shipping production applications built entirely through vibe coding with tools like Cursor, Bolt, Lovable and Replit. The applications work, process payments and handle user data. The risk is that functional does not mean secure. A working app can still have critical vulnerabilities that expose user data or allow unauthorized access.
How do I secure a vibe-coded app?
Start with a professional security audit before launching. Move all secrets to environment variables and a secrets manager. Add input validation to every user-facing field. Implement proper authentication with secure session handling. Set restrictive CORS policies. Add rate limiting to login and API endpoints. Schedule regular security audits as you add features.