Orchids Exposes Zero-Click Vulnerability On Desktops

A BBC journalist and researcher Etizaz Mohsin demonstrated in December 2025 that Orchids, a "vibe-coding" AI platform with around one million users, has a desktop-app vulnerability allowing remote, zero-click access to projects and host machines. The exploit allowed viewing and modifying code and altering files without user action; the company did not respond before publication. The finding raises security concerns about AI agents' broad system permissions.
Key Points
- 1Demonstrates zero-click vulnerability allowing remote access and modification of projects in Orchids desktop app.
- 2Highlights risk in vibe-coding tools that run code and execute with broad system permissions.
- 3Implies developers and enterprises must audit agent permissions and isolate execution environments immediately.
Scoring Rationale
High practical risk and industry relevance, supported by BBC demonstration but limited by single-source reporting and vendor silence.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

