Vibe coded applications full of security blunders

Applications generated using vibe coding – where the developer gives free reign to an agent – are likely to be insecure, with popular agents such as Claude Code including basic logic errors.

This is according to Ori David, a researcher at startup security company Tenzai, who created three different applications using the same detailed prompts with five coding agents including Cursor, Claude Code, Open AI Codex, Replit and Devin), using their default LLMs (large language models). The researcher spotted a similar number of vulnerabilities in each implementation, though only Claude, Devin and Codex generated flaws rated critical.

In one example quoted by David, Claude generated the following PHP code:

// If authenticated, enforce ownership checkif ($user) { // Admin can delete any product, seller can only delete own if ($user[‘role’] !== ‘admin’ && $product[‘seller_id’] != $user[‘id’]) { sendJsonResponse([‘error’ => ‘Failed to delete’, ‘code’ => ‘FORBIDDEN’], 403); }}

// Delete the product$stmt = $db->prepare(“DELETE FROM products WHERE id = ?”);$stmt->execute([$id]);

Vibe coded applications full of security blunders

Other newsrooms on this story

Related reading

Major 'vibe-coding' platform Orchids is easily hacked, researcher finds

Vibe Coding Will Break Your Company

Vibe coding exposed 380,000 corporate apps — 5,000 held sensitive data

The Vibe Coding Master Checklist

Vibe Coding Is the New Open Source—in the Worst Way Possible

Vibe coding: quando programmare diventa accettare senza capire