In April 2026, a security researcher discovered that Lovable, a vibe-coding platform valued at $6.6 billion with eight million users, had been leaking source code, database credentials, and AI chat histories from thousands of projects. Any free account could access any other user's data through a broken authorisation flaw in their API.
The bug had been reported on HackerOne 48 days earlier. Lovable closed the report without escalating it.
That's not a bug. That's a business model reaching its logical conclusion.
The numbers are in
A previous post on this blog dissected how AI companies oversell their defensive security tools. This is the other side of that coin: the code AI writes is itself the attack surface.
The data is no longer anecdotal. It's industrial-scale.
AppSec Santa tested 534 code samples across six major LLMs against the OWASP Top 10. One in four contained a confirmed vulnerability. Not a style issue. Not a code smell. A vulnerability.
Veracode went further, testing over 100 large language models on security-sensitive coding tasks. The results:
| Category | Failure rate |
|---|---|
| Cross-site scripting (CWE-80) | 86% |
| Log injection (CWE-117) | 88% |
| SQL injection (CWE-89) | 45% |
| Java (across all categories) | 72% |
Their conclusion: AI-generated code contains 2.74 times more vulnerabilities than human-written equivalents. AI-assisted commits expose secrets at twice the rate of human-only commits: 3.2% versus 1.5%.
And it's accelerating. Georgia Tech's Vibe Security Radar tracked CVEs directly attributable to AI coding tools: 6 in January, 15 in February, 35 in March. They estimate the true count in the open-source ecosystem is five to ten times higher than the detected figure.
The hallucination that installs itself
There's a specific flavour of AI vulnerability that deserves its own category: slopsquatting.
Roughly 20% of packages that AI recommends don't exist. The model hallucinates a plausible-sounding library name, and the developer installs it without checking. Attackers have figured this out. They register the hallucinated package names on npm, PyPI, and other registries, and fill them with malicious code.
In January 2026, a researcher registered react-codeshift, a package name hallucinated by an LLM, and found it had already made its way into 237 GitHub repositories. Two hundred and thirty-seven repos, running a dependency that exists because an AI made it up.
This is the lava layer with a new twist. The code nobody understands now installs dependencies nobody verified.
Why nobody's counting
Here's the structural problem: the people shipping AI-generated code are incentivised to measure velocity, not security debt.
Your sprint metrics track tickets closed, lines shipped, PRs merged. Nobody has a dashboard for "OWASP violations introduced this quarter." Security teams are downstream. By the time they audit, the lava has hardened into the codebase and extracting it means rewriting the feature.
And here's the really uncomfortable part: "AI-generated" isn't a label in your git history. There's no flag, no tag, no grep pattern. The developer who prompted the code and the developer who typed it by hand produce identical commits. The debt is invisible by design.
91.5% of vibe-coded applications had at least one AI hallucination-related flaw in Q1 2026. That's not a rounding error. That's a structural failure mode that we've collectively decided to ignore because the velocity chart looks good in the sprint review.
What to actually do
- Treat AI-generated code like untrusted input. Scan it before it merges, not after. Your CI pipeline should catch OWASP Top 10 violations the same way it catches failing tests.
- Pin your dependencies. Lock files aren't optional when your copilot hallucinates packages. Audit every new dependency that wasn't in yesterday's lock file.
- Add security to your review checklist. Not "does it look secure?" but specifically: injection, XSS, auth bypass, secret exposure. The four categories where AI fails the hardest.
- If you can't explain the auth flow the AI wrote, you don't have auth. You have a placeholder that happens to return 200 OK.
- Track it. If your team uses AI to generate code, start measuring security findings per AI-assisted PR versus human-written ones. You can't manage what you can't see.
The report was filed
Lovable's bug was reported. A human read it, decided it wasn't worth escalating, and closed the ticket. For 48 more days, thousands of projects sat exposed.
That's the real cost of optimising for velocity over understanding. Not the spectacular breach. Not the zero-day. The quiet, mundane decision to close a report because fixing it would slow things down.
The parrot writes fast. It doesn't read the CVE database.