Vibe Coding Failures

A curated directory of documented incidents where AI-generated and vibe-coded software failed in production. Every entry cites its authoritative source.

Last updated: March 2026

19

Incidents

6.3M+

Records

5,600+

Apps

69

Vulns

search
AmazonCRITICALMar 5, 2026

6-hour outage wipes 99% of U.S. order volume

trending_down~6.3 million lost orderscloud_offProduction OutagesD3 Security
AmazonHIGHMar 2, 2026

Incorrect delivery times appear in shopping carts

trending_down~120,000 lost orderscloud_offProduction OutagesAutonoma AI
DataTalks.ClubCRITICALMar 2026

Claude Code runs terraform destroy, nukes 2.5 years of production data

trending_down1.94M rows lost, 100K+ students affectedcloud_offProduction OutagesTom's Hardware
OrchidsCRITICALFeb 2026

Zero-click hack hijacks BBC reporter's laptop in live demo

trending_down1M+ platform users at riskdatabaseData ExposuresInformationWeek
MoltbookCRITICALFeb 2026

Misconfigured database exposes 1.5M auth tokens and 35K emails

trending_down1.5M tokens + 35K emails exposeddatabaseData ExposuresTowards Data Science
MetaHIGHJan 2026

AI agent posts incorrect security guidance, grants unauthorized access for 2 hours

trending_down2-hour unauthorized access to sensitive codecloud_offProduction OutagesAutonoma AI
5,600 Vibe-Coded AppsCRITICAL2026

2,000+ vulnerabilities and 400+ exposed secrets across vibe-coded apps

trending_down2,000+ vulns, 400+ exposed secretsdatabaseData ExposuresEscape.tech
OpenClawCRITICAL2026

CVE-2026-31992: allowlist bypass via env -S, CVSS 9.9

trending_downCVSS 9.9, full guardrail bypassbug_reportInsecure AI CodeNVD
Gemini CLIHIGH2026

Agent destroys entire project by looping move command to non-existent directory

trending_downTotal irreversible project data losscloud_offProduction OutagesSnyk
AmazonHIGHDec 2025

AI agent deletes and recreates environment, causes 13-hour outage

trending_down13-hour AWS outage (China)cloud_offProduction OutagesAutonoma AI
MetaHIGHDec 2025

AI agent deletes 200+ emails from Director of AI Safety

trending_down200+ emails permanently deletedcloud_offProduction OutagesAutonoma AI
npm ecosystemHIGHAug-Oct 2025

126 malicious npm packages exploit AI hallucinated package names

trending_down86,000+ downloads, credential theftlink_offSupply ChainAikido Security
SaaStr / ReplitHIGHJul 2025

Replit AI agent violates code freeze, wipes entire production database

trending_downComplete production DB wiped, months of data at riskcloud_offProduction OutagesThe Register
TeaCRITICALJul 2025

72,000 images and 1.1M private messages exposed via open Firebase bucket

trending_down72K images + 1.1M messages leakeddatabaseData ExposuresEngadget
LovableCRITICALMay 2025

CVE-2025-48757: missing Row Level Security exposes 170+ apps

trending_down170+ production apps exposeddatabaseData ExposuresAutonoma AI
EnrichleadHIGHLate 2025

Startup shuts down after AI puts all security logic on the client side

trending_downComplete startup shutdowncloud_offProduction OutagesDEV Community
Base44HIGH2025

Broken access controls expose every app on the platform

trending_downPlatform-wide exposuredatabaseData ExposuresAccorian Security
Hugging Face (PyPI)HIGH2025

AI-hallucinated package name gets 30,000+ real downloads

trending_down30,000+ downloads of fabricated packagelink_offSupply ChainLasso Security
Databricks Red TeamCRITICAL2025

Claude scaffolds multiplayer game with instant RCE via insecure pickle serialization

trending_downNetwork-wide RCE in functional gamebug_reportInsecure AI CodeDatabricks

Why this matters

These failures share a common root cause: code was shipped by people who did not understand it. AI generated something that looked correct, passed a cursory check, and went to production. The result was exposed databases, lost orders, and vulnerabilities that required zero user interaction to exploit.

The pattern is accelerating. CVE entries attributed to AI-generated code jumped from 6 in January 2026 to 35+ in March. A Tenzai study found 69 vulnerabilities across 15 apps built by 5 major AI coding tools. Every single app lacked CSRF protection. Every tool introduced SSRF vulnerabilities.

The antidote is the same as it has always been: understand your code. Data structures, algorithms, system design, and the ability to reason about what software is actually doing. AI is a powerful tool when wielded by someone who understands the output. Without that understanding, it is a liability.

Why Vibe Coding Won't Replace Developers

1.7x more bugs, 2.74x more vulnerabilities, 19% slower. The full data-driven analysis with 14 sources.

Read the article ↗

Frequently asked questions

What is vibe coding?expand_more
Vibe coding is a term coined by AI researcher Andrej Karpathy in early 2025. It refers to the practice of describing what you want in natural language, accepting whatever code an AI generates, and shipping it without review. The developer "gives in to the vibes" rather than understanding the code.
What are the biggest vibe coding failures?expand_more
The most significant documented failure is Amazon's March 2026 outage, where an AI-assisted code deployment caused a 6-hour shutdown of Amazon.com and an estimated 6.3 million lost orders. Other major incidents include Moltbook's exposure of 1.5 million authentication tokens, Orchids' zero-click hack demonstrated on BBC News, the Replit AI agent that wiped SaaStr's production database, and Claude Code running terraform destroy on 2.5 years of production data.
Is vibe coding safe for production?expand_more
The evidence suggests it is not. A December 2025 study by security firm Tenzai found 69 vulnerabilities across 15 apps built by 5 major AI coding tools. Every single app lacked CSRF protection, every tool introduced SSRF vulnerabilities, and zero apps set security headers. Escape.tech found 2,000+ vulnerabilities across 5,600 vibe-coded apps. Veracode's 2025 report found that 45% of AI-generated code introduced security flaws.
How many security vulnerabilities has AI-generated code caused?expand_more
The number is growing rapidly. Escape.tech found 2,000+ vulnerabilities across 5,600 vibe-coded apps. A December 2025 Tenzai study found 69 vulnerabilities across 15 apps built by 5 major AI coding tools. Veracode reported that 45% of all AI-generated code contains at least one security flaw.
What are common patterns in vibe coding failures?expand_more
The most common patterns are: AI agents taking destructive actions (deleting databases, running terraform destroy), AI-generated code with client-side security logic, misconfigured databases with no authentication, and AI hallucinating non-existent package names that attackers register as malware. The recurring theme is shipping AI output without human review.