Back to blog
Research·2026-02-28·8 min read

The 5 Most Common Vulnerability Patterns in AI-Generated Code

LLMs produce code with distinct structural patterns that legacy scanners miss entirely. We analyzed 10,000 AI-generated repositories and identified the five vulnerability classes that appear most frequently - and why traditional SAST tools fail to catch them.

Why AI-generated code fails differently

AI-generated code is often syntactically clean, style-consistent, and shipped quickly. That combination creates a dangerous illusion: if the code looks polished, teams assume it is safe enough to merge.

In practice, AI tooling increases the rate of insecure defaults, partial implementations, and context mismatches. The model can produce code that compiles and passes happy-path tests while still opening critical security gaps at runtime.

We reviewed 10,000 public repositories with obvious AI-assisted commit signatures and measured recurring findings by confirmed exploitability.

Pattern 1: Incomplete authentication and authorization checks

The most common issue is not "no auth". It is "some auth" that is incomplete.

Typical examples include endpoint-level checks without object-level authorization, role checks in one route but not another, or middleware attached to read routes while write routes are exposed.

Why this appears in AI code: - Models optimize for task completion and often scaffold auth around the exact prompt target. - Generated code may mirror examples that skip multi-tenant boundaries. - Follow-up prompts patch only the reported endpoint, leaving lateral paths unguarded.

Mitigation: - Centralize authorization logic and enforce it in one policy layer. - Add tests for cross-tenant access, not only unauthenticated access. - Require deny-by-default route registration in framework templates.

Pattern 2: Input flows that look sanitized but are not

We repeatedly found validation present at the edge but bypassed before sink usage. Teams saw schema validators and assumed safety, but unsafe transformations happened after validation.

Common flow: - Request payload validated in controller. - Data merged with query params or headers later. - Final value reaches SQL, template, or shell sink unsafely.

Why scanners miss this: - Rule-based tools over-trust named validators. - AI code tends to split logic across helper functions, breaking shallow taint tracking.

Mitigation: - Keep data normalization and validation adjacent to sink boundaries. - Use sink-aware validation contracts per context (SQL, HTML, command execution). - Add negative tests with payload mutation after initial validation.

Pattern 3: Secret and token handling in convenience paths

AI-generated integrations frequently include fallback credentials, debug tokens, or permissive local auth shortcuts.

Observed variants: - Environment fallback to hardcoded API keys. - Demo bearer tokens left in production code paths. - "Temporary" bypass flags wired to env vars with weak defaults.

Why this persists: - Generated samples prioritize instant runnability. - Teams copy quickstart snippets into production modules under time pressure.

Mitigation: - Ban credential literals with pre-commit and CI checks. - Enforce strict startup failure when required secrets are missing. - Gate debug auth paths behind explicit non-production build flags.

Pattern 4: Broken session and JWT verification logic

JWT code generated by LLMs often verifies signature presence but misses claim semantics.

Frequent issues: - Accepting expired tokens because exp checks are omitted. - Not validating aud or iss against expected values. - Trusting decoded payload before verification completes.

Why this pattern is common: - Prompt examples focus on "decode token" workflows. - Subtle verification order bugs are easy to introduce when refactoring generated snippets.

Mitigation: - Use hardened auth libraries with strict verification presets. - Enforce claim validation in a single reusable guard. - Add tests for invalid issuer, wrong audience, and stale token replay.

Pattern 5: Unsafe AI-to-runtime execution bridges

As teams add AI features, we see direct execution bridges: model output drives SQL, shell commands, file access, or workflow actions with minimal policy controls.

Typical anti-pattern: - Prompt returns "action plan" JSON. - App executes plan with broad privileges. - No policy engine validates allowed operations.

Why risk is increasing: - Product teams optimize agent capability first. - Guardrails are added later and are often prompt-only.

Mitigation: - Put all model-directed actions behind explicit allowlists. - Require human confirmation for high-impact operations. - Log and simulate actions in dry-run mode before execution.

What this means for security teams

The gap is no longer detection volume. It is detection relevance under AI-scale delivery speed.

Legacy SAST outputs a long queue of possible issues. AI-era pipelines need verified, context-aware findings tied to real exploit paths.

The fastest teams are moving to a layered model: - Deterministic rules for known unsafe patterns. - LLM-assisted reasoning for architectural context. - Exploit verification to confirm real impact.

Closing

AI-generated code is not inherently insecure. It is predictably insecure in ways that differ from hand-written software.

If your review process still assumes human-authored pace and structure, you will under-detect critical issues while overloading developers with noise.

Security programs that adapt now will reduce both breach risk and developer friction. Teams that do not will accumulate invisible security debt behind a facade of fast shipping.