June 10, 2026
Tab to doom?
Are insecure code completions in PyCharm a vulnerability?
PyCharm’s AI helper suggested sketchy code and the comments instantly turned into a fight
TLDR: A PyCharm code helper suggested unsafe lines that could make programs trust risky internet connections, raising questions about whether AI coding tools are creating danger by default. Commenters split between “this is just how AI is” and “words matter,” while others turned the whole mess into dark comedy.
A coding tool inside PyCharm was caught suggesting code that could quietly switch off safety checks, and the internet wasted zero time turning it into a full-blown debate. The original tester showed that after typing a few characters, PyCharm’s “Full Line Completion” offered lines that would hide warnings and skip identity checks on websites — basically the software equivalent of a stranger saying, “Trust me, this looks fine.” The bigger twist? Even the company response seemed fuzzy on whether this counted as a real security issue, which only added fuel to the comment-section bonfire.
And oh, the commenters came ready. One camp was basically shrugging and saying, what did you expect? As marcosdumay put it, this is a problem AI makers have been trying and failing to fix for years. Another crowd got very picky — in the most internet way possible — arguing that this is not a vulnerability itself but a “vulnerability creator” or maybe just a “weakness,” because apparently nothing sparks passion like definitions. Then the thread took a comedy detour when one reader got hung up on the phrase “monster-in-the-middle” and demanded to know what happened to the usual wording. Meanwhile, sph dropped the funniest nightmare scenario of the bunch: an AI-powered terminal turning a harmless command into “https://evil.com/run.sh” and leaving you “just an enter away from causing havoc.” In other words: part serious warning, part terminology war, part meme factory.
Key Points
- •The article reports that PyCharm’s Full Line Completion suggested Python code to disable `urllib3` security warnings.
- •The author also observed a suggestion to configure `urllib3.PoolManager` with `cert_reqs='CERT_NONE'`, which the article says disables certificate verification.
- •The author questioned whether insecure AI-generated code suggestions should be treated as a vulnerability eligible for a CVE.
- •The behavior was reported to JetBrains for Full Line Code Completion version `253.29346.142`, and the author says JetBrains did not classify it as a direct security vulnerability.
- •After 90 days, the author retested version `261.24374.152` and reports that the same insecure suggestions were still produced.