A critical vulnerability was discovered in the Base44 vibe coding platform, recently acquired by Wix. The vulnerability allowed unauthorized access to private applications built using Base44, potentially exposing sensitive data, including private enterprise information, personally identifiable information (PII), and sensitive HR operations.

‍

Vulnerability Details

Wiz Research identified that the Base44 platform had exposed undocumented registration and email verification API endpoints (api/apps/{app_id}/auth/register and api/apps/{app_id}/auth/verify-otp) without proper authentication. Attackers could exploit these endpoints by simply providing a publicly accessible app_id value, enabling unauthorized registration and verification on private applications, thereby bypassing all existing authentication mechanisms, including Single Sign-On (SSO).

‍

Potential Impact

• Unauthorized access to internal enterprise applications.
• Exposure of sensitive enterprise data, including internal chatbot communications, knowledge bases, PII, HR operations, and other sensitive corporate resources.
• Minimal technical skill required to exploit the vulnerability, significantly increasing potential threat actor activity.

‍

Recommended Actions

Although Wix has resolved the vulnerability and no immediate action is required, organizations should proactively review analytics within Base44 application settings for unusual registrations or user activities before July 10, 2025.

‍

Timeline

• Wiz Research promptly disclosed the vulnerability to Wix/Base44 on July 9, 2025.
• Wix confirmed and resolved the issue within 24 hours by validating application privacy settings before allowing user registration.
• Wix’s thorough investigation confirmed no known exploitation prior to the vulnerability’s discovery and resolution.

‍

Rapid adoption of vibe coding platforms introduces systemic risks due to shared infrastructure models. Fundamental security controls, particularly robust authentication and secure API designs, remain critical areas needing diligent focus and continuous assessment. Organizations utilizing third-party AI-powered development platforms should prioritize security evaluations and continuous monitoring to safeguard sensitive data.