Wiz Research Finds Risks in 20% of Vibe-Coded Apps
The most credible security team in cloud lays out exactly which misconfigurations recur.
Open wiz.io →The single biggest failure in AI-built tools is a database with no row-level security: one scan found 170 of 1,645 Lovable apps leaking names, emails, and financial records because the AI generated the tables but never configured access rules. Turn on RLS for every Supabase table, keep API keys server-side (never in the browser), and put the tool behind a real login even if it is 'just internal'. Then run one adversarial pass, asking the AI itself or a scanner to attack what it built, before any customer data goes in.
A quick orientation. The real value is below: resources worth your time, from people who've actually done it.
The most credible security team in cloud lays out exactly which misconfigurations recur.
Open wiz.io →5,600 apps scanned, 2,000+ vulnerabilities and 400+ exposed secrets; the scale of the problem in numbers.
Open escape.tech →The single most actionable checklist: proxy API calls, store secrets in edge functions, lock down RLS.
Open vietanh.dev →The platform's own hardening guidance, worth reading because its defaults caused the incidents.
Open lovable.dev →The mainstream report on 380,000 scanned apps with 5,000 leaking sensitive data.
Open axios.com →A clear technical autopsy of the anon-key-plus-no-RLS pattern behind the leaks.
Open superblocks.com →The canonical doc for the one feature that would have prevented most vibe-coding breaches.
Open supabase.com →Official step-by-step of writing your first RLS policies correctly.
Watch on YouTube youtube.com →RLS explained for AI-builder users rather than backend engineers.
Watch on YouTube youtube.com →Shows the attack and the fix side by side, which makes the risk finally click.
Watch on YouTube youtube.com →A short, current setup walkthrough you can follow along with in one sitting.
Watch on YouTube youtube.com →Once basics work, these are the multi-tenant patterns that keep working at scale.
Open makerkit.dev →93% of tech leaders worry about vibe-coded tools in production; useful ammunition for taking security seriously.
Open retool.com →The infamous live meltdown of an unsecured vibe-coded SaaS; the cheapest security lesson you will ever get.
Open x.com →The full story around that thread, from launch tweet to shutdown.
Open pivot-to-ai.com →The builder community's own reckoning, with practical fixes from people shipping solo.
Open indiehackers.com →Quantifies how often generated code ships vulnerable so you never skip review.
Open getautonoma.com →A printable pre-launch checklist to run before real data enters the tool.
Open catdoes.com →