Vibe Coding: What It Is, Risks and Security in 2026
Vibe coding is no longer a meme; it became an industry standard in 2026. See what it is, adoption numbers, and the security risks no one tells you about.
by Cleverson Gouvêa
Vibe coding is the fastest way to write software today — and also the most dangerous when done on the fly. The term, coined in 2025, describes a way of programming where you describe the intent in natural language and let the AI generate, refine, and debug the code for you. In 2026, it moved from Twitter into banks, startups, and even trading systems. In this guide, I separate hype from reality: adoption, tools, documented security risks, and how to use it without getting burned.
TL;DR
- Vibe coding is intent-driven programming: you talk to the AI and it writes the code, instead of you typing line by line.
- Adoption has exploded: AI already generates 46% of all new code on GitHub in 2026, projected to reach 60% by year-end.
- The risk is real: studies from Q1 2026 show that 40% to 62% of AI-generated code contains vulnerabilities.
- The problem isn't the tool, it's the process: most developers don't review what the AI delivers before pushing to production.
- You can use it well — with review, testing, limited scope, and the right safeguards.
What is vibe coding (and where the term came from)
The term vibe coding was coined by Andrej Karpathy, former AI director at Tesla and co-founder of OpenAI, on February 2, 2025, in an X post that garnered over 4.5 million views. The phrase that stuck was direct: "fully give in to the vibes, embrace the exponentials, and forget that the code even exists."
In practice, vibe coding is programming by conversation. Instead of writing each function by hand, you describe what you want — "create a login screen with password recovery" — and an AI assistant generates the code, adjusts based on your feedback, and corrects its own errors. Karpathy described the flow using Cursor's Composer with Anthropic models, programming by voice, barely touching the keyboard.
The term stuck so much that the Collins Dictionary named "vibe coding" one of the words of the year for 2025. But it's important to separate two things that are often confused: pure vibe coding (accepting what the AI generates without reading) is different from AI-assisted coding (using AI with active human review). This distinction, as you'll see, is exactly the line between productivity and disaster.
How vibe coding exploded in 2026
In just over a year, vibe coding went from a weekend experiment to business infrastructure. The numbers make this clear:
- AI is already responsible for 46% of all new code on GitHub in 2026, projected to reach 60% by year-end.
- About 40% of new SaaS MVPs are built primarily with vibe coding.
- 25% of startups from Y Combinator's Winter 2025 batch run on codebases that are 95% AI-generated.
- Cursor, one of the leading tools, reached US$2 billion in annualised revenue in early 2026.
It's not just startups. In May 2026, Bloomberg reported that Dutch bank ING is using vibe coding to build electronic forex and credit trading tools. That same month, Lovable invested in a Danish hardware startup, Atech, which aims to bring vibe coding to the physical world: you buy a kit, describe the prototype to a chatbot, and receive the ready code.
As a full-stack developer with over 15 years of experience, I see this with both feet on the ground. The speed is real — prototypes that used to take a week are done in an afternoon. But speed without discipline in software has a name: technical debt accumulating compound interest.
The tools dominating vibe coding
The ecosystem has organised around two tool profiles. Understanding the difference helps you choose the right one for each stage.
| Tool | Profile | Best for |
|---|---|---|
| Lovable / Bolt | In-browser generators | Quick prototyping, idea validation, landing pages |
| Cursor / Claude Code | Agentic IDEs | Production code, refinement, large codebases |
| GitHub Copilot | Integrated assistant | Contextual autocomplete in daily work |
| v0 / Replit Agent | UI and app generation | Prompt-driven interfaces and full-stack apps |
A workflow that gained traction in 2026 is what they call the "graduate workflow": you start prototyping in a browser tool like Bolt or Lovable, and once the idea is proven, you migrate the code to an agentic IDE like Cursor or Claude Code to refine it to production level. This same movement of agentic IDEs I detailed in the post about Google Antigravity 2.0, which shows how Google entered this fight.
The point that almost no tutorial mentions: the tool does not exempt you from knowing what is happening. It accelerates those who know and hides the pitfalls from those who don't.
The dark side: security risks of vibe coding
Here is the part that enthusiasm usually sweeps under the rug. When you accept code without reading, you also accept the flaws that come with it — and they come.
Georgia Tech launched the Vibe Security Radar in 2026, after realising that no one was tracking vulnerabilities introduced by AI tools. In March 2026 alone, the radar recorded 35 new CVE entries directly caused by AI-generated code — more than in all of 2025 combined, and a jump from 6 in January.
Studies from Q1 2026 are consistent and uncomfortable:
- Between 40% and 62% of AI-generated code contains security vulnerabilities.
- AI-written code produces flaws at a rate 2.74 times higher than human code.
- XSS (cross-site scripting) vulnerabilities appeared in 86% of samples of AI code tested across five different LLMs.
- A meta-analysis from January 2026, covering 78 studies on agentic code assistants, found attack success rates above 85% when adaptive strategies are used — and most published defences block less than 50% of these attacks.
This ties directly to other development supply chain threats we've covered, such as the Shai-Hulud infected NPM packages: AI-generated code often pulls dependencies without checking their provenance, widening the supply chain attack surface.
The "trust paradox" of AI-generated code
The most revealing data point of 2026 is not about AI — it's about us. There is a dangerous mismatch between what developers believe and what they do.
Industry surveys show that 96% of developers do not fully trust that AI-generated code is functionally correct. 61% agree that AI produces code that looks right but is not reliable. Yet only 48% always review the code before committing. In other words: most know the code might be wrong, yet more than half don't always check.
Why does this happen? Because 82% of the same group say AI helps them code faster. Speed trumps prudence. It's the classic psychological shortcut: when something looks ready and the deadline is tight, the brain treats review as a cost, not as safety.
This is the core problem of vibe coding. It's not that AI is incompetent — it's that it's convincing. Code that compiles and runs on the demo screen can hide an SQL injection, an exposed API key, or an authorisation flaw that only appears when someone with malicious intent looks for it.
When to use vibe coding (and when NOT to)
Vibe coding is neither good nor bad — it's a tool with right and wrong contexts. After applying it in real client projects, here is my honest yardstick.
Use vibe coding without fear when:
- You are prototyping to validate an idea that may be discarded.
- The project is internal, with no sensitive data and no public exposure.
- You master the domain and can review what the AI delivers.
- It's a one-off script, a simple automation, or a UI draft.
Avoid pure vibe coding when:
- The system handles payments, personal data (GDPR), or authentication.
- The code goes to production without a human review step.
- No one on the team deeply understands what was generated.
- The codebase is already large and a poorly understood change could break dependencies.
The rule of thumb: the higher the cost of an error, the smaller your "vibe" and the greater your rigour. Trading, healthcare, and finance don't mix with "forget that the code exists."
How to do vibe coding safely: a practical checklist
You can reap the speed of vibe coding without inheriting the security liability. The secret is to treat AI as a brilliant but rushed junior developer — who needs supervision. Here is the process I adopt:
- Specify before generating. A vague prompt yields vague code. Describe requirements, constraints, and edge cases. The better the brief, the better the result.
- Read everything that goes to production. Don't commit what you don't understand. If you don't understand, ask the AI to explain — and be suspicious if the explanation is evasive.
- Run static analysis and SAST. Automated tools catch injections, exposed secrets, and insecure patterns before deployment.
- Write (or ask for) real tests. Test coverage is the best antidote to "it seems to work."
- Audit dependencies. Check every package the AI imports. Invented or compromised libraries are a real attack vector.
- Limit the scope of each interaction. Small, reviewable changes beat large refactorings that AI does in one go and no one can audit.
- Never expose secrets in the prompt. Keys, tokens, and credentials do not go into the conversation with the AI.
This care for the software supply chain is not paranoia: we've already seen cases like the GitHub breach via a malicious VS Code extension, where blind trust in the ecosystem cost dearly.
The future of vibe coding and the developer's role
The question I hear most is whether vibe coding will end the programmer profession. My reading, after following this movement closely, is the opposite: it raises the bar for what it means to be a developer.
What loses value is typing — writing boilerplate, configuring the trivial, remembering syntax. What gains value is what AI still doesn't do well: architecture, security judgment, business understanding, the ability to critically review and say "this is wrong and here's why." The developer becomes less of a typist and more of a reviewer, architect, and final responsible party.
It's the same logic as the AI agents arriving in companies: they automate execution, but someone needs to define the goal, validate the result, and bear the consequences. AI doesn't take responsibility — you do.
Vibe coding is a powerful lever. Like any lever, it multiplies force in both directions: good work and error. Those who use it with discernment will deliver more and better. Those who use it on the fly will discover, the hard way, why the 96% don't fully trust it.
Conclusion: speed with responsibility
Vibe coding is the biggest change in how we program in a decade, and it's not going back — in 2026 it's already mainstream, from startups to banks. But the same numbers that show adoption also show the risk: code too fast to be reliable when no one reviews. The good news is that productivity and security are not enemies; they just need process.
If your company is considering adopting vibe coding or putting AI into the development flow without creating gaps, it's worth talking to someone who has done it in practice. At Agathas Web, we combine the speed of new stacks with the rigour of those who have kept critical systems running for over 15 years.
Related posts
New Siri with Gemini: What Changes at WWDC 2026
Apple's new Siri arrived at WWDC 2026 running a 1.2-trillion-parameter Google Gemini model. See what's fact and what changes.
Gears of War: E-Day: Release Date, Price and Open Beta 2026
Xbox's most anticipated prequel has confirmed release date, editions and beta. Here's everything about Emergence Day before you play.
T-Mobile Dynamic CX: AI on the Network for the 2026 World Cup
T-Mobile US has switched on an AI that predicts crowds and adjusts the network before the bottleneck. Understand Dynamic CX and the lesson for your business.