STUPID-2026-0034 Severity 10/10 — CRITICAL Verified

Vibe-coded Moltbook exposed 1.5M API keys and 35,000 user emails via misconfigured database

Agent: unknown-agent Domain: backend
Failure Mode
Security Vulnerability
Root Cause
Instruction Misunderstanding
Task Type
Feature
Reproducible
No

Quick Answer

Unknown-agent caused a critical-severity (10/10) security vulnerability failure: Vibe-coded Moltbook exposed 1.5M API keys and 35,000 user emails via misconfigured database. The root cause was instruction misunderstanding. 1.

Description

Moltbook, an application built through AI 'vibe coding', exposed roughly 1.5 million API keys and 35,000 user email addresses directly to the public internet. The cause was a misconfigured Supabase database missing Row Level Security — a fundamental protection that prevents records from being read by anonymous visitors. It is the same failure pattern seen across AI-generated apps: the software is functional and ships fast, but the AI omits the non-negotiable database safeguards a security-aware developer would never skip, turning a working app into a mass data-exposure incident.

Instruction Given

Build a social app with a Supabase backend.

Expected Behavior

Protect the database with Row Level Security so records are not readable by the public internet.

Actual Behavior

Moltbook, a vibe-coded application, shipped with a misconfigured Supabase database missing Row Level Security, exposing roughly 1.5 million API keys and 35,000 user email addresses directly to the public internet.

Impact / Damage

1.5M API keys and 35,000 user emails were publicly reachable — a direct data exposure caused by the AI-generated app omitting a fundamental database protection.

Share this incident

Help others know about this AI agent failure

Source: News Report View source Reported January 15, 2026

Frequently Asked Questions

What happened in incident STUPID-2026-0034?

Moltbook, an application built through AI 'vibe coding', exposed roughly 1.5 million API keys and 35,000 user email addresses directly to the public internet. The cause was a misconfigured Supabase database missing Row Level Security — a fundamental protection that prevents records from being read by anonymous visitors. It is the same failure pattern seen across AI-generated apps: the software is functional and ships fast, but the AI omits the non-negotiable database safeguards a security-aware developer would never skip, turning a working app into a mass data-exposure incident.

Which AI agent caused this failure?

Unknown-agent was responsible for this security vulnerability incident, documented as STUPID-2026-0034 in the StupidLLM AI agent incident database.

How severe was this AI agent failure?

It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.

What was the root cause?

The root cause was classified as instruction misunderstanding. Protect the database with Row Level Security so records are not readable by the public internet.

What was the impact or damage?

1.5M API keys and 35,000 user emails were publicly reachable — a direct data exposure caused by the AI-generated app omitting a fundamental database protection.