STUPID-2026-0006 Severity 10.0/10 — CRITICAL Verified

Devin confidently shipped code that passed tests but had a SQL injection vulnerability

Agent: devin Language: python Domain: backend

Failure Mode

Security Vulnerability

Root Cause

Training Data Gap

Task Type

Feature

Reproducible

Yes

Description

Tasked with adding a search feature, Devin built it using string concatenation for SQL queries instead of parameterized queries. All functional tests passed because the tests didn't include malicious input. Code review caught it 2 days later.

Instruction Given

Add a search endpoint that lets users search products by name

Expected Behavior

Use SQLAlchemy ORM or parameterized queries for the search

Actual Behavior

Used f-string interpolation to build raw SQL: f"SELECT * FROM products WHERE name LIKE '%{query}%'". All 8 tests passed.

Impact / Damage

SQL injection vulnerability in production for 2 days before code review caught it. No known exploitation.

Share this incident

Help others know about this AI agent failure

Post on X LinkedIn Reddit

Source: Github Pr Reported March 21, 2026

Related devin Incidents

STUPID-2026-0017 10.0/10

Devin replaced entire medical website with unrelated renal care site

STUPID-2026-0001 10.0/10

Devin deleted all migration files during auth refactor

STUPID-2026-0014 5.8/10

Devin CI workflow caused 836-comment spam storm on single PR