Cloudflare vinext Bugs: A Vibe-Coding Warning

What is Cloudflare's vinext and why did it appear?

vinext is Cloudflare's AI-built reimplementation of Next.js, covering about 94% of the Next.js 16 API surface. It appeared as an experiment in running a Next.js-style framework natively on Cloudflare Workers. Most of the code was written by Claude, which made it a striking demonstration of how far AI-assisted building has come.

How was vinext built so fast and so cheaply?

Reports say one engineer produced it in roughly a week for about $1,100 in AI tokens, with Claude writing most of the code. That speed and low cost are exactly why the project drew attention. It showed that a near-complete framework clone can now be assembled in days, not months, using coding agents.

Why did security researchers find so many flaws?

Because AI-generated code ships fast but is not automatically secure. Vercel CEO Guillermo Rauch responsibly disclosed seven vinext vulnerabilities, two of them critical, and the security firm Hacktron reported 45 more, with 24 manually validated. Speed of generation does not equal safety, and rapid output can outpace careful review.

Should I run AI-generated code in production?

Only after real review and testing. AI can draft useful code quickly, but vinext shows unreviewed output can carry serious flaws. Treat anything an agent writes like a junior developer's first pass: read it, test it, run security checks, and have an experienced engineer approve it before it ever touches production traffic.

What were the May 2026 Next.js vulnerabilities?

Separately from vinext, Vercel shipped a coordinated Next.js security release in May 2026 patching 13 advisories, including CVE-2026-23870, a denial-of-service issue in React Server Components. This was mature, widely-used software getting patched, a reminder that even battle-tested frameworks need disciplined, prompt updates to stay safe.

How do I protect a Webflow or Next.js site from these?

Patch promptly and reduce exposure. If you run Next.js, update to the patched releases right away. On Webflow, you avoid framework-level CVEs because Webflow manages the hosting stack, which is one quiet advantage for marketing sites. For any custom code, keep dependencies current and watch security advisories closely.

Which CVE matters most for my stack?

For Next.js users, prioritize CVE-2026-23870, the React Server Components denial-of-service flaw in the May batch, since it can take a site down. Check the full advisory list against the exact features you use, then patch the highest-severity items that touch your app first. Your stack determines which of the 13 actually matters.

Can vibe coding ever be production-safe?

Yes, with discipline around it. As Guillermo Rauch put it, vibe coding is a useful tool, especially when used responsibly. The fix is process: human review, automated security scanning, thorough testing, and clear ownership of what ships. Used that way, AI-assisted coding speeds you up without turning your production site into an open target.

Where does the Vercel vs Cloudflare feud leave developers?

In a useful spot, actually. The public back-and-forth between Vercel and Cloudflare surfaced real security findings and responsible disclosure in the open. Competition is pushing both toward faster frameworks and tighter security. For developers, the rivalry means better tools and a louder, healthier conversation about what safe AI-assisted building should look like.

Will this slow down AI-assisted development?

Probably not, but it should mature it. vinext proved the speed is real and irresistible, so teams will keep using agents to build. What changes is the expectation around review and security. The lasting lesson is not to stop vibe coding, but to wrap it in the same rigor you apply to any production code.

Weighing AI-built infrastructure? Pair this with my piece on Cloudflare acquiring Astro, the May 2026 Next.js CVE patches, and my Cloudflare vs Vercel vs Netlify breakdown. Let's chat.