We Scanned 100 AI-Built Apps: Here's What We Found
Across 100 apps built with Cursor, Lovable, Bolt.new, and v0, the same handful of vulnerability classes showed up on nearly every scan — regardless of which tool built the app.
The pattern, by the numbers
- Exposed API keys in client-side JavaScript — the single most common finding, present regardless of framework
- Supabase RLS disabled on at least one table, across nearly all Supabase-backed apps
- Missing HTTP security headers (CSP, HSTS, X-Frame-Options) — usually all of them, since these require explicit configuration AI tools rarely add unprompted
- Admin routes reachable with no authentication check
- Payment webhook handlers with no signature verification
None of these vary much by which AI tool built the app — they're a property of how AI code generation optimizes (for working features), not a quirk of any one platform.
Why the same bugs, every time
AI coding assistants are trained to produce code that satisfies the prompt. "Build a login page" gets you a login page. It doesn't reliably get you an IDOR check on the profile endpoint, or a rate limit on the password-reset flow, because nobody asked for those explicitly — and they're invisible until something looks for them.
What this means if you're shipping with AI tools
None of these findings require the app to be badly built. They're default gaps in how AI-generated code handles the parts nobody explicitly specified. A scan built to catch these specific, recurring patterns is proportionate — see Security Scanner.
Check your app for these same five patterns in 25 seconds.
Scan My App →