STUPID-2026-0032 Severity 10/10 — CRITICAL Verified

Scan of 5,600 vibe-coded apps found 2,000+ high-impact vulns, 400+ exposed secrets, PII leaks

Agent: multiple-agents Domain: backend
Failure Mode
Security Vulnerability
Root Cause
Training Data Gap
Task Type
Feature
Reproducible
No

Quick Answer

Multiple-agents caused a critical-severity (10/10) security vulnerability failure: Scan of 5,600 vibe-coded apps found 2,000+ high-impact vulns, 400+ exposed secrets, PII leaks. The root cause was training data gap. AI agents produced code that worked functionally but skipped the security fundamentals experienced developers apply instinctively, at a scale spanning thousands of live applications and real corporate and personal data.

Description

In October 2025, API security firm Escape scanned 5,600 publicly available 'vibe-coded' applications — apps built primarily by prompting AI agents. The scan found more than 2,000 high-impact vulnerabilities, over 400 exposed secrets including API keys and access tokens, and 175 instances of PII exposure containing medical records and bank-account numbers. The systemic root cause is consistent across platforms: AI agents generate code that is functionally correct but skips the security fundamentals — authentication, database protections, secret handling, edge-case validation — that experienced engineers apply by reflex. The result is speed without safety, replicated across thousands of live applications.

Instruction Given

Build production web applications by prompting AI agents ('vibe coding').

Expected Behavior

Generated apps should apply basic security fundamentals — auth, database protections, secret management, input validation.

Actual Behavior

An October 2025 scan of 5,600 publicly reachable vibe-coded apps found more than 2,000 high-impact vulnerabilities, over 400 exposed secrets including API keys and access tokens, and 175 instances of PII exposure — including medical records and bank account numbers.

Impact / Damage

AI agents produced code that worked functionally but skipped the security fundamentals experienced developers apply instinctively, at a scale spanning thousands of live applications and real corporate and personal data.

Share this incident

Help others know about this AI agent failure

Source: Benchmark View source Reported October 15, 2025

Frequently Asked Questions

What happened in incident STUPID-2026-0032?

In October 2025, API security firm Escape scanned 5,600 publicly available 'vibe-coded' applications — apps built primarily by prompting AI agents. The scan found more than 2,000 high-impact vulnerabilities, over 400 exposed secrets including API keys and access tokens, and 175 instances of PII exposure containing medical records and bank-account numbers. The systemic root cause is consistent across platforms: AI agents generate code that is functionally correct but skips the security fundamentals — authentication, database protections, secret handling, edge-case validation — that experienced engineers apply by reflex. The result is speed without safety, replicated across thousands of live applications.

Which AI agent caused this failure?

Multiple-agents was responsible for this security vulnerability incident, documented as STUPID-2026-0032 in the StupidLLM AI agent incident database.

How severe was this AI agent failure?

It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.

What was the root cause?

The root cause was classified as training data gap. Generated apps should apply basic security fundamentals — auth, database protections, secret management, input validation.

What was the impact or damage?

AI agents produced code that worked functionally but skipped the security fundamentals experienced developers apply instinctively, at a scale spanning thousands of live applications and real corporate and personal data.