A recent security breach at Vercel, the popular cloud platform powering Next.js applications, has highlighted critical vulnerabilities in OAuth authentication processes tied to platform environment variables. Attackers gained unauthorized access to internal production systems through a chain of events starting with a single employee adopting an unvetted AI tool, which was later compromised by an infostealer malware infection at the tool's vendor. This incident underscores the hidden risks in third-party integrations, where seemingly innocuous OAuth grants can provide broad access without sufficient review.
According to reports from Hacker News discussions, the breach occurred in April 2026 and involved a Roblox cheat alongside the AI tool, effectively bringing down parts of Vercel's platform. VentureBeat detailed how the attack chain allowed a "walk-in path" to production environments, with cybersecurity firm Mandiant investigating the scope. Vercel confirmed the unauthorized access on a Sunday, prompting immediate containment efforts, though the full extent of data exposure remains under review. Such OAuth gaps are particularly hard for security teams to detect, as they often bypass traditional scoping and monitoring.
The Vercel incident is part of a broader crisis in "vibe coding" platforms, where AI-driven development tools generate code rapidly but introduce systemic security flaws. Lovable, a vibe-coding platform valued at $6.6 billion with eight million users, has suffered multiple exposures, including API vulnerabilities that left AI prompts, user chat histories, and thousands of projects open to public view. A researcher using the handle @weezerOSINT discovered one such flaw, allowing cross-user access to sensitive data, as reported by Fast Company.
Further scrutiny revealed Lovable's issues stemmed from misconfigurations in backend services like Supabase, lacking proper Row Level Security (RLS) policies. Security analyses, including those from The Register and Superblocks, identified over 170 apps affected by CVE-2025-48757, exposing emails, phone numbers, payment details, API keys, and developer credentials. In one case, a Lovable-hosted app leaked data on 18,000 users due to critical flaws in authentication and access controls. The platform left a Broken Object Level Authorization (BOLA) vulnerability open for 48 days after closing a bug bounty report without escalation, according to The Next Web.
These events affect millions of developers and users relying on AI-assisted coding tools for rapid app creation. Vulnerable apps have exposed everything from government IDs in a dating app to 1.5 million API tokens across scanned projects, with common holes like hardcoded secrets, missing authentication, open databases, and IDOR flaws appearing repeatedly in vibe-coded software. Kaspersky and Checkmarx reports emphasize how AI tools reproduce insecure patterns from training data, introduce unverified dependencies, and hardcode credentials, amplifying supply chain risks.
Lovable has responded by contacting affected app owners and acting swiftly on recent disclosures—their CISO noted fixing a report within minutes of proper submission. However, the pattern of incidents raises questions about accountability in AI-generated code, where platforms often shift responsibility to users. Vercel has not detailed long-term fixes yet, but experts call for better OAuth vetting and security guardrails in AI workflows.
What happens next could reshape developer trust in these platforms. With vibe coding's rise, security researchers urge continuous assurance—scanning AI output in IDEs, validating dependencies, and enforcing RLS from the start—rather than reactive patches. As breaches like these proliferate, affected users face identity theft risks, while platforms must prove they can secure the speed of AI innovation without compromising safety.