The predictable ones, in rough order: exposed keys get found, the open database gets read, logins that never really protected anything get bypassed, and the app buckles under real traffic or edge cases. Vibe-coded apps optimise for a working demo, so the parts that only matter with real users and real attackers are the parts that fail first.
Information current as at 5 July 2026
Apps built quickly with AI, sometimes called vibe-coded, tend to fail in a recognisable pattern, because they are all optimised for the same thing: making the demo work. The parts that only matter once real people and real pressure arrive are the parts that get skipped, and so they are the parts that break first. Knowing the pattern lets you reinforce the weak points before they give.
The earliest and most common failure is not the app crashing, it is a secret being found. Vibe-coded apps frequently ship with API keys and database credentials sitting in the frontend or a public repository, and automated tools scan the internet for exactly these strings constantly. So the first thing that breaks is often invisible: a key is discovered and quietly used, running up charges or reaching data, before the owner notices anything. Technology press reporting (XDA Developers) has described vibe-coded apps routinely shipping with exposed keys and data, and this is why it leads the list. It requires no skill to exploit a key left in plain sight, only a scanner that finds it.
Close behind is the database that was never locked down. When an AI builder wires up data storage to make a feature work, it often leaves the access rules permissive or unset, because restrictive rules would get in the way of the demo. The result is a database that, in principle, anyone who learns its address can read from or write to. This holds firm right up until someone looks, and then it fails completely, exposing whatever it holds. Because customer data cannot be un-leaked, this is among the most damaging failures, and it is entirely silent until the moment it is not. An open database does not degrade gracefully; it is either protected or it is not.
If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.
The third failure is authentication that protects the appearance of privacy but not the substance. A vibe-coded app often hides a page behind a login in the browser, while the data behind it remains reachable by anyone who asks the server directly, bypassing the login entirely. Similarly, the check for whether one user may see another user's record is frequently missing, so changing a number in the address exposes someone else's information. These hold up under casual use, which is why they pass the demo, and give way the moment anyone tests them properly. The login looked like a wall; it was a curtain.
The last category is everything that only matters at scale or under stress, and it arrives last because it needs real users to trigger. Inputs the build never anticipated, a strange character, a huge upload, an empty field, cause errors because validation was skipped. Actions that can be repeated endlessly, like sign-ups or messages, get abused because there was no rate limiting. Performance sags because the app fetches too much or was never tested beyond a handful of records. None of these show up when the maker clicks through gently. They surface when the app meets the messy reality of many people using it in ways the demo never did. The fix for the whole pattern is the same: treat the invisible parts, security, access, validation, resilience, as real work rather than assuming a working demo means a finished product.
If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.
Whether you can name exactly what you want built, or you just know something is leaking, the next step is the same conversation.