← BACK TO UPDATES
[01] / / 6 MIN READ

VIBE CODING SECURITY WEEKLY — APR 16-23, 2026

/ INSTANT SCAN

TEST YOUR APP NOW

Enter your deployed app URL to check for security vulnerabilities.

Five stories shaped vibe-coding security between April 16 and April 23, 2026: a 48-day Lovable chat-history exposure, an Anthropic MCP design flaw that puts 200,000+ servers at risk of remote code execution, Gitar’s $9M stealth exit for AI code-review agents, Aikido’s Endpoint launch for AI-native dev workstations, and Vercel’s Context.ai postmortem. Here is the week, with sources.

TL;DR — The week in one paragraph

  • Lovable, Apr 20-23: Second disclosure in 72 hours. Researcher @weezerOSINT flagged that all projects created before late 2025 were readable to any free account for roughly 48 days after a February backend permission change re-enabled public-chat access. Exposed: source code, Supabase credentials, AI chat transcripts, customer data.
  • Anthropic MCP, Apr 20: OX Security disclosed a STDIO-transport design flaw. Malicious config strings execute before a failed-connection error is returned. 200,000+ exposed instances, 9 of 11 MCP registries poisoned in PoC. CVE-2026-40933 (Flowise), CVE-2026-30615 (Windsurf). Anthropic: behavior is “expected.”
  • Gitar, Apr 19: Out of stealth with $9M led by Venrock. Former Intel/Google/Uber CEO Ali-Reza Adl-Tabatabai pitches AI agents that auto-review AI-generated code.
  • Aikido, Apr 21: Launched Endpoint — a lightweight agent that inspects npm/PyPI/Maven/NuGet packages, IDE plugins, and browser extensions before install. Auto-quarantines anything published in the last 48 hours.
  • Vercel, Apr 20 (ongoing): Confirmed the Context.ai OAuth compromise reached internal systems. Non-“sensitive” env vars included API keys and database credentials in some cases. CEO Guillermo Rauch: attackers “may have been able to act more quickly with the assistance of AI.”

What happened with Lovable this week?

On April 20, 2026, security researcher @weezerOSINT (amplified by BoldMetrics CTO Morgan Linton) disclosed that every Lovable project created before late 2025 was readable by any logged-in free account. According to Bastion and Pagesifter, a backend permission unification in February 2026 silently re-enabled access to chats on public projects, and the regression sat unpatched for roughly 48 days.

Exposed per-project:

  • Application source code
  • Supabase connection strings and service keys
  • Full AI chat histories (prompts, system context, integration details)
  • Customer data in connected backends

Lovable’s statement, reported by Enterprise Security Tech: “Upon learning this, we immediately reverted the change to make all public projects’ chats private again.”

Security researcher Tom Van de Wiele, quoted in the same piece: “This is another unfortunate example of lacking secure defaults and a failure to threat model for the automated and AI age.”

This is the third major Lovable security event in thirteen months, after the February 2026 RLS crisis (covered in Lovable Security Report Feb 2026) and the BOLA disclosure from Apr 20. The BOLA post covers the project-ID-swap vector; this week’s story is the adjacent chat-history regression on the same platform.

What is the Anthropic MCP RCE?

A disclosure from OX Security, covered on April 20, 2026 by The Cyber Signal, describes a design-level flaw in how the Model Context Protocol handles local process execution over its STDIO transport.

The mechanic, in three steps:

  1. Attacker plants a malicious command string (e.g., reverse shell) in an MCP config field.
  2. MCP attempts to execute the command to launch a local server.
  3. The connection fails and returns an error — after the OS command has already executed.

Scale reported by OX:

  • 200,000+ vulnerable instances globally
  • 150M+ downloads across official SDKs (Python, TypeScript, Java, Rust)
  • 9 of 11 MCP registries successfully poisoned with PoC payloads
  • Affected clients: Cursor, Windsurf, Claude Code

CVEs in the disclosure:

  • CVE-2026-40933 — Flowise AI
  • CVE-2026-30615 — Windsurf IDE

Anthropic’s position, per the same piece: the behavior is “expected” and downstream developers own sanitization. No protocol change planned.

Read alongside this week’s other MCP story, Your CLAUDE.md Is Attack Surface, where Snyk found critical issues in 13.4% of 3,984 agent skills. Same trust-boundary story, different layer.

Who is Gitar?

Gitar came out of stealth on April 19, 2026 with a $9M round led by Venrock (with Sierra Ventures), per TechAmerica.ai. CEO Ali-Reza Adl-Tabatabai (ex-Intel Labs, Google, Uber) is pitching subscription AI agents that handle code review, CI triage, and “custom security checks” on the output of other AI agents.

The positioning: AI generates more code than humans can review, so the review layer must also be AI. Adl-Tabatabai’s stated goal is automation “that can automatically ensure that your code is safe to ship, and involves humans only in exception cases.”

Gitar sits in the same category as DeepKeep’s Vibe AI Red Teaming, launched two days later — defenders trying to out-pace the volume that vibe-coding platforms are producing.

What does Aikido Endpoint do?

Aikido (Ghent-based, unicorn as of January 2026) launched Endpoint on April 21, 2026, per EU Information Service. It is a background agent on the developer workstation that inspects packages, IDE plugins, and browser extensions before they install.

Features called out in the launch:

  • Real-time malware blocking across npm, PyPI, Maven, NuGet, VS Code, Chrome
  • Automatic quarantine of anything published in the last 48 hours
  • Request/approval workflow for restricted installs
  • Visibility and cost tracking across AI tools (Cursor, Windsurf, Claude Code, Copilot)

Aikido also offers a vibe-coded app pentesting service, which we covered previously in Aikido vs VibeEval for Lovable pentesting.

Where does this leave Vercel?

The Context.ai breach — covered in depth in Vercel Breach via Context.ai — got a timeline update on April 20, 2026 via TrendingTopics.eu. Vercel confirmed the attacker reached internal systems through an employee using Context.ai’s compromised OAuth app. Environment variables not explicitly marked “sensitive” were read; some contained API keys and database credentials.

Rauch: the attackers “may have been able to act more quickly with the assistance of AI.”

Nothing new on the root cause this week. The update matters because it closes the loop on third-party AI OAuth apps as supply-chain attack surface — the exact category Aikido Endpoint is trying to police on the other side of the week.

Bottom line

Three of this week’s five stories are the same pattern with different actors: the trust boundary moved, and defaults built for a human-only workflow leaked under AI-speed pressure.

  • Lovable’s permission regression went unnoticed for 48 days because the default for “public project” was ambiguous.
  • MCP executes config strings because the protocol’s default is “trust the local process.”
  • Vercel’s environment variables leaked because the default for “non-sensitive” wasn’t tight enough when a third-party AI OAuth app was in the loop.

The defense stack that launched this week — Gitar on code review, Aikido Endpoint on package/plugin install — is betting that more AI on the defender side is the only way to keep up. The thing none of them touch is the deployed app your AI shipped last Tuesday. That is where the actual users live.

Sources

This digest is compiled from public reporting. VibeEval is not affiliated with Lovable, Anthropic, Vercel, Gitar, or Aikido. Questions? Contact our team.

/ MORE UPDATES

Keep reading

/ NEXT STEP

STOP GUESSING. SCAN YOUR APP.

Join the founders who shipped secure instead of shipped exposed. 14-day trial, no card.

START FREE SCAN