Devin confidently shipped code that passed tests but had a SQL injection vulnerability
Quick Answer
Devin caused a critical-severity (10/10) security vulnerability failure: Devin confidently shipped code that passed tests but had a SQL injection vulnerability. The root cause was training data gap. SQL injection vulnerability in production for 2 days before code review caught it.
Description
Tasked with adding a search feature, Devin built it using string concatenation for SQL queries instead of parameterized queries. All functional tests passed because the tests didn't include malicious input. Code review caught it 2 days later.
Instruction Given
Add a search endpoint that lets users search products by name
Expected Behavior
Use SQLAlchemy ORM or parameterized queries for the search
Actual Behavior
Used f-string interpolation to build raw SQL: f"SELECT * FROM products WHERE name LIKE '%{query}%'". All 8 tests passed.
Impact / Damage
SQL injection vulnerability in production for 2 days before code review caught it. No known exploitation.
Frequently Asked Questions
What happened in incident STUPID-2026-0006? ▾
Tasked with adding a search feature, Devin built it using string concatenation for SQL queries instead of parameterized queries. All functional tests passed because the tests didn't include malicious input. Code review caught it 2 days later.
Which AI agent caused this failure? ▾
Devin was responsible for this security vulnerability incident, documented as STUPID-2026-0006 in the StupidLLM AI agent incident database.
How severe was this AI agent failure? ▾
It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.
What was the root cause? ▾
The root cause was classified as training data gap. Use SQLAlchemy ORM or parameterized queries for the search
What was the impact or damage? ▾
SQL injection vulnerability in production for 2 days before code review caught it. No known exploitation.