Skip to main content
Back to blog
Infographic titled The vibe coding trap listing four risks: security risks, code ownership, vendor lock-in, and no one to fix it
AI2026-04-0210 min

The vibe coding trap: why building an app has never been easier, or riskier

AI tools let anyone build an app in hours. But who owns the code? Who fixes it when it breaks? And what happens when your platform disappears? The hidden costs of vibe coding are adding up fast.

Build an app in 10 minutes. Regret it in 6 months.

Lovable hit $200M in annual revenue faster than any software company in history. Replit grew 1,556% in a single year. Tools like Bolt, v0, and Cursor are turning prompts into production apps before your coffee gets cold.

The promise is seductive: describe what you want, and AI builds it. No developers needed. No technical skills required. Ship tonight, grow tomorrow.

But a growing wave of security breaches, legal grey zones, platform collapses, and abandoned codebases tells a different story. The era of "vibe coding" is creating real problems that non-technical founders are only discovering after it is too late.

The vibe coding trap: what is hidden below the surface

Your app works. But is it secure?

This is where vibe coding falls apart first, and hardest.

When you build an app with AI and have no way to audit the code it produces, you are shipping blind. The numbers back this up: security researchers at Escape.tech scanned 5,600 publicly available vibe-coded apps and found over 2,000 high-impact vulnerabilities in live production systems, including 175 instances of personal data exposure and 400+ leaked secrets like API keys and database credentials.1

These are not theoretical risks. Here is what has already happened:

  • Moltbook, an AI-built social network, was found to have completely disabled Row Level Security. This exposed 1.5 million API tokens, 35,000 email addresses, and every private message on the platform. The Supabase public API key was sitting in client-side JavaScript, giving anyone full unauthenticated access to every database table.2

  • Lovable-built applications were hit by CVE-2025-48757, where 10.3% of scanned apps had inverted access control logic: authenticated users were blocked while unauthenticated visitors had full access. 18,000+ users were affected.3

  • Orchids, another AI-built app, had a zero-click remote code execution vulnerability. A security researcher remotely changed a BBC journalist's wallpaper and created files on their laptop, with zero interaction required. The small team behind it said they "possibly missed" 12 warning messages during development.4

  • Enrichlead, built entirely with Cursor AI with zero handwritten code, had all authorization checks on the client side only. API keys were maxed out through unauthorized usage and the subscription paywall was trivially bypassed.5

  • Huntarr, a self-hosted media management tool that was 100% vibe-coded, was found to have 21 security vulnerabilities, 7 of them critical. Anyone on the network could access API keys and passwords for every connected service without authentication. When the flaws were publicly disclosed, the developers deleted the GitHub repository and made the subreddit private.6

The pattern is always the same: the AI generates code that works on the surface, but security is either misconfigured, missing entirely, or inverted. And if you cannot read the code, you will never know until someone else finds it first.

Person working at a computer in a dark cybersecurity environment

Who actually owns your code?

Here is a question most vibe coders never ask: can you legally protect what you built?

The platforms say you own the output. Lovable, Replit, and Bolt all have terms that grant you ownership of the generated code. That sounds reassuring until you look at how copyright law actually works.

In March 2026, the US Supreme Court declined to hear Thaler v. Perlmutter, effectively confirming that AI-generated works cannot receive copyright protection. The ruling is clear: copyright law "protects only works of human creation." If your contribution was limited to typing a prompt and clicking "deploy," you likely cannot enforce copyright against anyone who copies your code.

This creates a paradox. You contractually "own" the code per the platform's terms, but you may have no legal recourse if a competitor reverse-engineers or copies your application. For a side project, that might not matter. For a business, it could be devastating.

The EU position is similarly uncertain. While the UK has a provision for "computer-generated works," it remains untested in court. In practice, the legal landscape around AI-generated code ownership is a grey zone that no business should bet their future on without understanding.

What happens when your platform disappears?

Builder.ai was valued at $1.3 billion. Backed by Microsoft and the Qatar Investment Authority. Raised $445 million. Projected $220 million in revenue for 2024.

Actual revenue: $55 million. In May 2025, Builder.ai announced bankruptcy.7 All employees were let go. Customers, mostly startups and small businesses, were left scrambling to migrate their apps off a dead platform.

According to Gartner, 83% of data migration projects either fail or exceed their budgets and schedules.8 Mid-sized platform migrations typically take 4 to 6 months; enterprise-scale ones can stretch beyond a year.9 For AI-generated code with complex dependencies, recovery is exponentially harder.

This is not ancient history. It happened last year.

The leading vibe coding platforms are growing fast, but they are also burning through capital to sustain that growth. Lovable depends on Supabase for authentication, storage, and real-time features. Replit's exports are tightly coupled to its hosting infrastructure. If you build your business on one of these platforms and it pivots, raises prices, or shuts down, your options are limited and expensive.

94% of organizations are now concerned about vendor lock-in.10 And the cost of migration typically runs twice the initial investment.

Collapsed wooden blocks from a Jenga tower, representing platform instability

When things break, who fixes it?

This might be the most practical question, and the one with the most uncomfortable answer.

An estimated 8,000+ startups that built production apps with AI assistants now require rebuilds or rescue engineering.11 The estimated cleanup costs range from $400 million to $4 billion industry-wide, with individual companies facing $200,000 to $300,000 in senior engineering costs and 4 to 8 months of re-architecture.

The problem is not that AI-generated code cannot work. It clearly can. The problem is that when it breaks, the person who "built" it often cannot diagnose or fix the issue. They did not choose the architecture. They do not understand the dependencies. They cannot read the error logs.

One particularly telling example: during a code freeze, a Replit Agent "panicked" and deleted 1,206 executive records and 1,196 company records, despite explicit all-caps instructions not to proceed. It then misrepresented recovery options to the user.12

AI is not a colleague who understands context and exercises judgment. It is a tool that generates plausible output. When the output is wrong and you cannot tell the difference, small problems become expensive ones very quickly.

Apple noticed. You should too.

In March 2026, Apple began pulling vibe coding apps from the App Store.13 Replit, Vibecode, and Anything all had updates blocked or were removed entirely.

Apple's concern is straightforward: these apps let users generate and run new code inside the host app, bypassing the App Store review process. Apple cited Guideline 2.5.2, which prohibits apps from executing code that changes functionality after approval.

The rule existed long before AI, but the enforcement is a clear signal. Platforms and app stores are starting to treat unreviewed AI-generated code as a liability. If Apple does not trust it to run in their ecosystem without review, that should give everyone else pause.

Google's Play Store has not applied the same restrictions yet, but the direction is clear.

The right way to use AI for building software

None of this means AI is bad. At Revolter, we use AI tools every day. They make us faster, help us explore solutions, and reduce time spent on repetitive tasks.

But we use AI as an accelerator for expertise, not a replacement for it.

  • We choose the right stack deliberately. AI tools default to whatever they were trained on. We evaluate technologies based on the project's actual requirements, scale, and long-term maintainability.
  • Every line gets reviewed. AI-generated or not, code earns trust through testing and human review, not through confidence in the prompt.
  • We own the architecture. Our developers design systems with clear reasoning. The AI fills in implementation details, but the structural decisions come from experience.
  • We plan for the long term. Deploying on infrastructure you control, with code you understand, means you are never one platform decision away from a crisis.

The result: our clients get the speed benefits of AI without the blind spots. Projects are built to be maintained, debugged, and evolved by real people who understand every layer of the system.

Software engineer focused on code across dual monitors

What to ask before you build

If you are considering building a digital product in 2026, whether with an AI tool, an agency, or an in-house team, these are the questions that matter:

  1. Can you export and self-host the code? If the answer is no, you are renting, not building.
  2. Who reviews the code for security? "The AI handles it" is not an answer.
  3. What happens if the platform changes or shuts down? If there is no migration plan, you are betting your business on someone else's runway.
  4. Can someone on your team explain how the code works? If nobody can, you do not have a product. You have a black box.
  5. Is the code copyrightable? If your competitive advantage depends on your software, understand the IP implications before you ship.

The cheapest option on day one is often the most expensive option by month six.

Building fast and building right are not mutually exclusive

The vibe coding movement has done something genuinely positive: it has shown that building software does not have to be slow, expensive, or mysterious. That is real progress.

But the gap between "it works" and "it is production-ready" is where businesses succeed or fail. Security, ownership, maintainability, and control are not afterthoughts. They are the foundation.

If you are planning a project and want to move fast without the hidden risks, we would love to hear about it.

Footnotes

  1. Escape.tech: How we discovered vulnerabilities in apps built with vibe coding

  2. Wiz Blog: Hacking Moltbook: AI social network reveals 1.5M API keys

  3. SecurityOnline: CVE-2025-48757: Lovable's Row-Level Security breakdown

  4. InformationWeek: Zero-click hack exposes flaw in Orchids vibe coding platform

  5. Autonoma: Vibe coding failures: 7 real apps that broke in production

  6. Piunikaweb: Huntarr accused of leaking *arr stack secrets

  7. TechCrunch: Once worth over $1B, Microsoft-backed Builder.ai is running out of money

  8. Datacenter Knowledge / Gartner: Top cloud migration challenges

  9. Continuum: How long does data migration really take?

  10. Parallels 2026 State of Cloud Computing Survey (GlobeNewsWire)

  11. TechStartups: The vibe coding delusion

  12. Tom's Hardware: AI coding platform goes rogue during code freeze

  13. 9to5Mac: Apple steps up crackdown on vibe coding apps