Your Vibecoded App Is Probably Hackable

The security stuff AI agents miss (and how to fix it)

Tenzai tested five major vibe coding tools in December 2025: Claude Code, Codex, Cursor, Replit, and Devin. They found 69 vulnerabilities across 15 applications. Every single tool shipped insecure code.

The tools are good at avoiding classic attacks like SQL injection and XSS. Tenzai didn’t find a single one. But they consistently fail at business logic and security controls. The researchers said it plainly: “Coding agents cannot be trusted to design secure applications.”

I use these tools daily. But there are things they don’t think about unless you ask.

Your Database Is Probably Wide Open

If you’re using Supabase, AI writes code that queries the database directly from the frontend. It works. It could also a security hole.

Supabase auto-generates REST APIs from your schema. Create a table called users, and there’s an endpoint at /rest/v1/users that anyone can hit. The anon key in your frontend code is public by design. But without Row Level Security (RLS) enabled, that public key gives access to everything.

83% of exposed Supabase databases involve RLS misconfigurations. Supabase now enables RLS by default on tables created through their dashboard. But if you create tables via SQL, you need to enable it yourself.

What to do: Enable RLS on every table. Test it by hitting your endpoints with just the anon key. If you see actual data instead of an empty array, you’re exposed. Use Supabase’s Security Advisor to scan for this.