The rise of “vibe coding” — the increasingly popular practice of using AI assistants to generate applications with minimal manual programming — is creating a growing cybersecurity problem, according to new research that examined approximately 2,000 publicly exposed AI-generated applications and found widespread security weaknesses.
The findings highlight one of the unintended consequences of the AI coding revolution. While generative AI tools have dramatically lowered the barrier to software development, they have also enabled thousands of people with little or no security expertise to deploy internet-facing applications at unprecedented speed.
Researchers discovered that many of these applications exposed sensitive data, contained weak authentication controls, leaked API keys, misconfigured databases, or suffered from fundamental security flaws that experienced developers would typically identify during code reviews or security testing.
The problem is not necessarily the AI itself.
Modern AI coding assistants can generate functional applications remarkably quickly, often producing working websites, dashboards, APIs, automation tools, and business applications from simple prompts. The challenge arises when users treat generated code as production-ready without understanding the security implications of what they are deploying.
This creates a dangerous illusion of simplicity.
Building software has traditionally required at least some understanding of authentication, authorization, encryption, input validation, session management, database security, and infrastructure hardening. AI tools can automate much of the coding process, but they do not automatically transfer the underlying security knowledge needed to operate software safely.
As a result, many AI-generated applications reach the public internet with little security review.
Researchers reportedly found exposed administrative interfaces, unsecured databases, publicly accessible development environments, embedded credentials, and poorly protected APIs among the analyzed applications. In many cases, vulnerabilities were not sophisticated technical flaws but rather basic security mistakes that became visible because applications were deployed rapidly.
The findings reflect a broader transformation occurring across software development.
For decades, programming knowledge acted as a natural barrier limiting who could create internet-facing systems. Generative AI has dramatically lowered that barrier, allowing entrepreneurs, students, hobbyists, and business professionals to create applications that previously would have required dedicated development teams.
That democratization brings enormous benefits.
Small organizations can build tools faster, startups can prototype ideas rapidly, and non-technical users can automate workflows without extensive coding expertise. However, security experts warn that the same accessibility also increases the number of potentially vulnerable systems connected to the internet.
The scale of growth is unprecedented.
Thousands of applications can now be generated and deployed in days rather than months. Traditional security practices such as threat modeling, penetration testing, secure code reviews, and architecture assessments often struggle to keep pace with this velocity.
Artificial intelligence itself may further complicate the problem.
Many users assume that AI-generated code automatically follows security best practices. In reality, AI models generate code based on patterns found in training data, which may include insecure examples, outdated libraries, vulnerable dependencies, or weak implementation choices.
Researchers also warn that attackers are paying close attention.
Publicly exposed AI-generated applications may become attractive targets because many follow predictable development patterns and are often maintained by inexperienced operators. Cybercriminals can automate scanning for common weaknesses and compromise vulnerable systems at scale.
The issue extends beyond individual applications.
Many AI-generated projects integrate cloud services, payment platforms, databases, authentication providers, and third-party APIs. A compromised application may therefore expose customer information, cloud credentials, financial data, or operational systems connected to broader environments.
This creates a new category of software supply chain risk.
As AI-generated applications become increasingly common inside businesses, organizations may unknowingly introduce insecure tools into production environments. Shadow development—where employees build applications independently using AI tools—could become as significant a challenge as Shadow IT or Shadow AI.
Security professionals are increasingly calling for stronger safeguards, including automated security scanning, secure-by-default AI coding assistants, built-in vulnerability detection, and greater emphasis on developer education.
The broader lesson from the study is not that AI-generated software is inherently insecure.
Rather, it demonstrates that software development and software security are not the same thing. AI can dramatically accelerate the creation of applications, but it cannot eliminate the need for security expertise, governance, and testing.
As AI continues transforming software development, the greatest risk may not be the code these systems generate — but the false confidence that anyone can safely deploy production software simply because the coding itself has become easier.