62% of AI-generated code ships with vulnerabilities. Founders commissioning software need to know this.
Veracode testing found 45% of AI-generated code introduces OWASP Top 10 vulnerabilities. CVEs directly attributed to AI-generated code tripled month-on-month in early 2026. If you're commissioning a product built with AI tools, the security question is no longer hypothetical.
25 June 2026
Veracode tested over 100 large language models on security-sensitive coding tasks. 45% of AI-generated code samples introduced OWASP Top 10 vulnerabilities. OX Security puts the number higher — 62% of AI-generated code ships with at least one security issue.
This is not a reason to avoid AI-assisted development. It’s a reason to understand how it’s being done before you commission a product built with it.
The numbers getting worse, not better
March 2026 data from the Cloud Security Alliance shows 35 CVEs directly attributed to AI-generated code, up from 15 in February and 6 in January. Georgia Tech researchers estimate the actual figure is 5 to 10 times what’s being detected, projecting 400 to 700 AI-introduced vulnerabilities across the open-source ecosystem this year alone.
The most common failure modes are consistent across tools: hardcoded credentials, broken authentication, injection vulnerabilities, insecure infrastructure defaults, and unverified dependencies. AI models generate these patterns at scale because they reproduce what appears in training data — and insecure patterns are well-represented.
The Moltbook case
In January 2026, a social network for AI agents called Moltbook launched with the founder publicly stating he hadn’t written a single line of code. In February, 1.5 million API authentication tokens were exposed. The AI had scaffolded the database with permissive development settings, and the founder — who had never reviewed the infrastructure code — deployed it as written.
This is the failure mode to understand: not that AI tools write bad code, but that AI tools write plausible-looking code that can conceal serious misconfiguration. The problem is not visible from the outside until it fails.
What to ask before you commission
The question for founders evaluating a development partner isn’t “do you use AI tools?” — at this point, the answer is almost certainly yes. The questions that matter are:
- What does your code review process look like for AI-generated output?
- Who is responsible for reviewing infrastructure and authentication code specifically?
- Do you run automated security scanning (SAST, dependency audit) as part of your CI pipeline?
- How do you handle the security review before a product goes to production?
A team that can answer these concretely — not vaguely — is working with AI tools responsibly. A team that can’t answer them is potentially shipping at vibe-coding speed with vibe-coding risk.
The headline statistic (62% of AI-generated code has vulnerabilities) is a warning about process, not about the tools themselves. When development teams have proper review, scanning, and security testing in place, AI assistance accelerates delivery without transferring that risk to the finished product.
Our custom software development and AI-assisted development work includes security review as a standard part of the delivery process. If you want to understand how that works in practice, start a project conversation.