We Scanned 10 AI-Built Apps — Here's What We Found

AI coding tools have made it easier than ever to build and ship web applications. Tools like Cursor, Lovable, Bolt, and v0 can take a rough idea and turn it into a working app in hours. But there's a question nobody seems to be asking: are these apps secure?

We decided to find out. We ran Nullscan against 10 web applications built entirely or primarily with AI coding tools. The results were concerning.

The Setup

We selected 10 publicly available web applications that were explicitly described by their creators as "vibe coded" or "built with AI." These were real products — SaaS tools, marketplaces, dashboards, and internal tools — built with a range of AI coding assistants.

Each app was scanned using Nullscan's free tier, which runs 50 iterations of AI-powered penetration testing. We tested for SQL injection, XSS, authentication bypass, SSRF, IDOR, path traversal, rate limiting, and security header configuration.

The Results

Every single app had at least one vulnerability. Most had several. Here's the breakdown of what we found across all 10 applications:

• 8 out of 10 had missing or misconfigured security headers (no CSP, no HSTS, missing X-Frame-Options)
• 7 out of 10 had no rate limiting on authentication endpoints
• 6 out of 10 had at least one input validation issue (potential injection vectors)
• 4 out of 10 had endpoints that should have required authentication but didn't
• 3 out of 10 had potential IDOR vulnerabilities where user resources could be accessed by manipulating IDs
• 2 out of 10 had SSRF-like behavior where the server could be tricked into making internal requests

Missing Security Headers Was Universal

The most common issue by far was missing security headers. This isn't surprising — AI coding tools focus on making features work, and security headers are a defensive measure that doesn't affect functionality. Your app works perfectly fine without them, but it's vulnerable to clickjacking, MIME sniffing attacks, and protocol downgrades.

Most of the apps we tested had no Content-Security-Policy header at all. This means any XSS vulnerability becomes significantly more dangerous because there's no browser-level protection limiting what malicious scripts can do.

No Rate Limiting Is a Ticking Time Bomb

Seven of the ten apps had no rate limiting on their login or password reset endpoints. This means an attacker could attempt thousands of password combinations per minute without being blocked.

Rate limiting is one of those things that's easy to forget because it doesn't affect normal usage. Your app works fine when one person logs in. It becomes a problem when someone writes a script that tries 10,000 passwords in an hour.

Authentication Gaps

Four apps had API endpoints that returned data without verifying the user was authenticated. In most cases, these were admin or settings endpoints that the AI had generated but hadn't properly protected. The routes existed, the functionality worked, but anyone who knew the URL could access them.

This is a pattern we see often with AI-generated code. The AI builds the feature and the route, but doesn't always think about who should be allowed to access it.

Why This Happens

AI coding tools are optimized for one thing: making your feature work. When you ask an AI to build a login system, it builds a login system. It probably doesn't add rate limiting, brute force protection, or account lockout because you didn't ask for those things.

Security isn't a feature — it's a property of how features are built. And that distinction is something AI tools don't naturally handle well.

This doesn't mean you shouldn't use AI tools. They're incredibly productive. But it does mean you should test the security of what they produce, the same way you'd test any code before shipping it to real users.

What You Should Do

If you've built an app with AI tools and shipped it without a security review, you should scan it. Not because your app is definitely vulnerable, but because the odds are high that it has at least one issue worth fixing.

Nullscan offers a free scan that checks for all the issues described in this article. It takes a few minutes and doesn't require any setup — just paste your URL.