Scan of 5,600 vibe-coded apps found 2,000+ high-impact vulns, 400+ exposed secrets, PII leaks
Quick Answer
Multiple-agents caused a critical-severity (10/10) security vulnerability failure: Scan of 5,600 vibe-coded apps found 2,000+ high-impact vulns, 400+ exposed secrets, PII leaks. The root cause was training data gap. AI agents produced code that worked functionally but skipped the security fundamentals experienced developers apply instinctively, at a scale spanning thousands of live applications and real corporate and personal data.
Description
In October 2025, API security firm Escape scanned 5,600 publicly available 'vibe-coded' applications — apps built primarily by prompting AI agents. The scan found more than 2,000 high-impact vulnerabilities, over 400 exposed secrets including API keys and access tokens, and 175 instances of PII exposure containing medical records and bank-account numbers. The systemic root cause is consistent across platforms: AI agents generate code that is functionally correct but skips the security fundamentals — authentication, database protections, secret handling, edge-case validation — that experienced engineers apply by reflex. The result is speed without safety, replicated across thousands of live applications.
Instruction Given
Build production web applications by prompting AI agents ('vibe coding').
Expected Behavior
Generated apps should apply basic security fundamentals — auth, database protections, secret management, input validation.
Actual Behavior
An October 2025 scan of 5,600 publicly reachable vibe-coded apps found more than 2,000 high-impact vulnerabilities, over 400 exposed secrets including API keys and access tokens, and 175 instances of PII exposure — including medical records and bank account numbers.
Impact / Damage
AI agents produced code that worked functionally but skipped the security fundamentals experienced developers apply instinctively, at a scale spanning thousands of live applications and real corporate and personal data.
Frequently Asked Questions
What happened in incident STUPID-2026-0032? ▾
In October 2025, API security firm Escape scanned 5,600 publicly available 'vibe-coded' applications — apps built primarily by prompting AI agents. The scan found more than 2,000 high-impact vulnerabilities, over 400 exposed secrets including API keys and access tokens, and 175 instances of PII exposure containing medical records and bank-account numbers. The systemic root cause is consistent across platforms: AI agents generate code that is functionally correct but skips the security fundamentals — authentication, database protections, secret handling, edge-case validation — that experienced engineers apply by reflex. The result is speed without safety, replicated across thousands of live applications.
Which AI agent caused this failure? ▾
Multiple-agents was responsible for this security vulnerability incident, documented as STUPID-2026-0032 in the StupidLLM AI agent incident database.
How severe was this AI agent failure? ▾
It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.
What was the root cause? ▾
The root cause was classified as training data gap. Generated apps should apply basic security fundamentals — auth, database protections, secret management, input validation.
What was the impact or damage? ▾
AI agents produced code that worked functionally but skipped the security fundamentals experienced developers apply instinctively, at a scale spanning thousands of live applications and real corporate and personal data.
Related multiple-agents Incidents
The runaway-cost pattern, quantified: agentic coding tools burn 10-100x more tokens and can rival developer pay
Two AI agents ping-ponged for 11 days and ran up a $47,000 bill — neither noticed anything wrong
Cyera study: 344 verified enterprise agent-damage cases, 188 with no attacker involved