The 5 Security Gaps Hiding in Every Vibe-Coded App

We have scanned over 100 apps built with Lovable, Replit, Cursor, Claude, and V0. These five security gaps appeared in nearly every single one.

1. Hard-Coded API Keys and Secrets

This is the most common finding. When you tell an AI to "connect to Stripe" or "add Supabase authentication," it often places API keys directly in the source code. Sometimes in a .env file that gets committed. Sometimes directly in the component file. Either way, your secrets end up on GitHub for the world to see.

Why AI does this: AI models optimise for working code. A hard-coded key makes the code work immediately. Environment variable configuration is an extra step that the AI often skips unless you explicitly ask for it.

The fix: Move all secrets to environment variables. Add .env.local to .gitignore. Use your hosting platform's environment variable management. Never prefix secret keys with NEXT_PUBLIC_ unless they are truly meant to be public. Also, never share secrets in the prompt.

2. Disabled Row Level Security (RLS) in Supabase

If you are building with Supabase (and many vibe coders are) Row Level Security is your database's access control layer. When RLS is disabled, any authenticated user can read, modify, or delete any row in your database. Including other users' data.

Why AI does this: Supabase creates tables with RLS disabled by default. AI tools often do not enable it because doing so requires writing policies — rules that define who can access what. This adds complexity that the AI skips to get to a working demo faster.

The fix: Enable RLS on every table that stores user data. Write policies that restrict access based on the authenticated user's ID. Test by trying to access another user's data — it should fail.

3. No Input Validation

Forms that accept any input without validation are an invitation for injection attacks. We regularly see contact forms, signup flows, and search fields that pass user input directly to APIs, databases, or email templates without checking or sanitising it first.

Why AI does this: The AI builds the happy path first. The form works, you type your name, it saves your name. But it does not consider what happens when someone types SQL injection payloads, HTML tags, or 10MB of text into that name field.

The fix: Use a validation library like Zod to define schemas for every form. Validate on both client and server. Set maximum lengths. Escape output before rendering in HTML or emails.

4. Missing Authentication on API Routes

Many vibe-coded apps have API routes that assume only the frontend will call them. There is no authentication check, no session validation, no rate limiting. Anyone with a curl command can hit your API directly and perform actions they should not be able to.

Why AI does this: When you ask AI to build a feature, it builds the feature. The frontend calls the API, the API does the thing. Authentication is a cross-cutting concern that the AI typically does not add unless you specifically ask for protected routes.

The fix: Add authentication middleware to every API route that modifies data or returns sensitive information. Verify session tokens server-side. Add rate limiting to prevent abuse.

5. No GDPR Consent or Privacy Controls

If your app collects any personal data (names, emails, usage analytics) and serves users in the EU, you need GDPR compliance. This means cookie consent banners, privacy policies, data processing agreements, and the ability for users to request their data or its deletion.

Why AI does this: AI does not consider regulatory requirements unless prompted. It builds functional software, not compliant software. GDPR is a legal framework, not a technical one, and AI tools have no context about which regulations apply to your specific use case and geography.

The fix: Add a cookie consent mechanism. Create a privacy policy that accurately describes your data practices. Implement data export and deletion capabilities. If you use analytics, ensure they are configured for GDPR compliance.

The Common Thread

AI builds code that works. Every time. But working is not the same as safe. These five gaps are not bugs, they are missing requirements. The AI was never told to handle them because the builder did not know to ask.

This is exactly why governance matters. Not to slow you down, but to catch the things you did not know to look for. A five-minute scan can find what would take weeks to discover in production, after a data breach or a compliance fine.

What To Do Next

If you have built an app with any AI coding tool, run through these five checks manually. Or get a scan from NEKOD and we will check all five (plus 50 more) in minutes. The basic scans are free. Finding these gaps before your users do is not a nice-to-have. It is the baseline.