A critical security flaw in the popular AI-powered coding platform Base44 allowed attackers to bypass authentication controls and gain unauthorized access to private enterprise applications, according to new research from Wiz Security.
The vulnerability, discovered in the recently Wix-acquired platform, was remarkably simple to exploit. Attackers needed only a non-secret app identifier (app_id) to create verified accounts for private applications through undocumented API endpoints, completely bypassing Single Sign-On (SSO) protections.
"This effectively bypassed all given authentication controls that Base44 provided, including Single Sign-On (SSO), granting full access to what were intended to be private enterprise applications," Wiz researchers explained in their disclosure.
Technical Breakdown
The flaw centered on two exposed API endpoints - /api/apps/{app_id}/auth/register and /api/apps/{app_id}/auth/verify-otp - that lacked proper authentication checks. These endpoints allowed anyone to register new users for private applications using only the app_id value, which ironically wasn't secret at all.
App identifiers were publicly visible in application URLs and manifest.json file paths, making them trivial to discover. Researchers found vulnerable enterprise applications by identifying custom domains pointing to Base44's infrastructure and scanning for the platform's distinctive login page patterns.
The vulnerability particularly threatens organizations using Base44 for internal chatbots, knowledge bases, and HR operations containing sensitive corporate data. During their research, Wiz confirmed successful authentication bypasses across several enterprise applications.
"The rapid enterprise adoption of these platforms for critical functions... is precisely why we decided to focus our research efforts on this emerging attack surface," the researchers noted.
Following responsible disclosure on July 9th, 2025, Wix implemented a complete fix within 24 hours. The company confirmed no evidence of malicious exploitation during the vulnerable period.
This incident highlights growing security challenges in "vibe coding" platforms (AI-powered development tools using natural language), where shared infrastructure creates systemic risks affecting all hosted applications simultaneously.
Organizations using such platforms should implement additional monitoring and regularly audit third-party access as these transformative tools continue evolving.