How We Found 23 Vulns in a Vibe-Coded App

Last month, a startup founder asked us to scan their application before launch. It was a project management tool built with Lovable, using Supabase for the backend. The founder had spent three weeks building it and was ready to onboard their first paying customers. We ran NeuroStrike's autonomous scanner and found 23 exploitable vulnerabilities in 45 minutes.

This is not an unusual result. It is representative of what we see in AI-generated applications. Here is what we found, organized by severity.

Critical Findings (5)

1. Complete Auth Bypass via Direct API Access

The application used Supabase auth on the frontend but did not enforce authentication on the backend. By calling the Supabase REST API directly with the anon key (which was exposed in the client bundle), we could query any table without being logged in. No authentication required.

Impact: complete read access to all data in the database without an account.

2. Row Level Security Disabled on 4 Tables

The projects, tasks, comments, and files tables all had RLS disabled. Any authenticated user could read, modify, and delete any row in these tables. We proved this by creating a second test account and accessing the first account's data.

Impact: any user can read, modify, or delete any other user's data.

3. Supabase Service Role Key in Client Bundle

The service_role key was embedded in the client-side JavaScript. This key bypasses all RLS policies. Even if RLS were properly configured, this key would render it meaningless.

Impact: complete database access with no restrictions, equivalent to having the database password.

4. Exposed Database Connection String

The direct PostgreSQL connection string was in an environment variable that was bundled into the client. This was likely a configuration error in the build process, but the result is that anyone viewing the page source could connect directly to the database.

Impact: direct database access, ability to read, modify, or delete any data, create new database users, or drop tables.

5. Stored XSS in Task Comments

Task comments accepted arbitrary HTML, including script tags. By posting a comment containing JavaScript, we could execute code in any user's browser when they viewed the task. Combined with the auth bypass, this could be used to steal session tokens.

Impact: account takeover via session token theft, data exfiltration, or phishing.

High Findings (8)

• IDOR on user profiles: changing the user ID parameter returned other users' profiles including email and phone number
• Missing rate limiting on login: brute-force attack feasible at 100+ attempts per second
• Password stored in localStorage: accessible via XSS or browser extensions
• No CSRF protection: state-changing requests could be triggered from malicious websites
• File upload without validation: any file type accepted, stored in public bucket, no size limit
• GraphQL introspection enabled: full schema exposed including internal types and mutations
• Debug mode enabled in production: error responses included stack traces and file paths
• Missing Content Security Policy: no protection against XSS payload execution

Medium Findings (6)

• Missing X-Frame-Options: application can be embedded in iframes for clickjacking
• Verbose error messages: database errors returned to client with table names and column details
• Insecure cookie settings: session cookie missing httpOnly and secure flags
• No account lockout: unlimited failed login attempts with no delay or lockout
• Email enumeration: different error messages for valid and invalid emails on login page
• Missing Referrer-Policy: full URLs leaked to third-party services via referer header

Low Findings (4)

• Missing Permissions-Policy header
• Server version header exposed (Supabase version disclosed)
• Autocomplete enabled on password fields
• No security.txt file

The Fix

The founder spent two days fixing the critical and high issues. The key changes:

1. Removed service_role key from client bundle and moved all sensitive operations to Supabase Edge Functions
2. Enabled RLS on all tables and wrote proper policies restricting access to the authenticated user's data
3. Added input sanitization on all user-generated content fields
4. Implemented rate limiting via Cloudflare and Supabase Edge Functions
5. Rotated all exposed credentials and secrets

After the fixes, we re-scanned. The critical and high findings were resolved. Three medium findings remained and were acceptable for launch with a plan to address them in the first sprint.

The Takeaway

Twenty-three vulnerabilities. Forty-five minutes. A three-week-old application built with modern tools. This is the current state of AI-generated application security. The tools are amazing for productivity. They are terrible for security. And that gap is exactly why we built NeuroStrike.

Run a vibe scan before you launch. It takes less time than a coffee break and it might save you from a breach that costs your business.