Critical Flaw in Wix’s New AI Platform Base44 Allowed Unauthorized Access to Private Enterprise Apps

In a significant finding that highlights the risks associated with emerging AI development platforms, Wiz Research has uncovered a critical vulnerability in Base44, a popular vibe coding platform recently acquired by Wix. This vulnerability, if exploited, could have granted unauthorized access to private enterprise applications—exposing sensitive data and bypassing authentication mechanisms like Single Sign-On (SSO).

“The vulnerability we discovered was remarkably simple to exploit – by providing only a non-secret app_id value to undocumented registration and email verification endpoints, an attacker could have created a verified account for private applications on their platform,” Wiz Research explained.

The issue stems from a misconfigured authentication flow in Base44’s infrastructure, which powers applications developed using natural language and AI automation—a method dubbed “vibe coding.” The flaw allowed attackers to:

• Register a new account using only an app_id
• Receive a one-time password (OTP) to confirm the email
• Bypass all authentication controls, even for apps configured to use SSO-only access

This was made possible because app_id values were exposed in the URI and application manifest files, making them easily accessible to anyone familiar with the platform’s structure.

“This effectively bypassed all given authentication controls that Base44 provided… granting full access to what were intended to be private enterprise applications and the sensitive data they might have contained,” Wiz noted.

Using tools like Swagger-UI, Wiz researchers identified public API endpoints (/auth/register and /auth/verify-otp) that didn’t require authentication. With basic knowledge of API interactions and some reconnaissance via platforms like urlscan.io, researchers were able to identify several Base44 apps that were vulnerable.

“We managed to confirm authentication bypass was available across several enterprise applications that utilized the platform for internal chatbots, knowledge bases, PII & HR operations—significant sensitive data that could have been leaked to unauthorized attackers.”

Among the identified apps were those hosted on custom domains with shared CNAME records pointing to Base44 infrastructure, as well as others discovered via HTML identifiers like “base44”.

Wiz responsibly disclosed the issue to Base44 and Wix on July 9, 2025, prompting an immediate fix within 24 hours. Wix confirmed that:

• The vulnerability has been patched platform-wide
• No evidence of prior abuse or compromise was found
• No user action is required unless suspicious user activity is identified

“Wiz Research independently verified that the fix completely addresses the vulnerability—Base44 now correctly prevents unauthorized registration attempts on private applications.”

As adoption of these platforms grows, especially among enterprises handling sensitive information, security must be treated as a first-class concern.

“By understanding the potential impact of these systemic risks and by working with vendors to address them, we can help ensure the secure evolution of this transformative technology,” Wiz concluded.

Related Posts:

• CVE-2025-1974 (CVSS 9.8): Ingress NGINX Flaws Threaten Mass Kubernetes Compromise
• New Phishing Campaign Targets AWS Accounts: Security Experts Warn
• Spring Boot Actuator Misconfigurations: The Hidden Security Risks in Cloud Environments