Wiz finds major security flaw in Base44, one month after Wix acquisition
Vulnerability allowed unauthorized access to private apps built via AI prompts.
A newly discovered security vulnerability in Base44, an AI-powered application development platform recently acquired by Wix, has raised fresh concerns about the risks embedded in the rapidly expanding world of “vibe coding”, a trend that replaces traditional software development with natural language prompts.
The vulnerability, uncovered by Wiz Research, allowed attackers to gain unauthorized access to private applications built on Base44 simply by knowing a publicly visible app ID. By exploiting undocumented API endpoints, attackers could bypass authentication controls, including Single Sign-On (SSO), to create verified user accounts on apps that were supposed to be restricted.
While the issue has since been patched and no evidence of malicious activity was found, the discovery shines a spotlight on the foundational security assumptions behind a new wave of AI-driven platforms that are transforming how software is created and used, especially inside enterprises.
“The most immediate risks stem not from exotic threats like model poisoning, but from fundamental design oversights,” Wiz noted in a detailed disclosure published Tuesday.
Base44 rose to prominence in early 2025 with its vision of democratizing software development through “vibe coding,” a term coined by OpenAI co-founder Andrej Karpathy to describe coding entirely via natural language prompts. The platform enabled even non-technical users to rapidly build internal tools, chatbots, and automations.
Its momentum led to a high-profile acquisition by Wix for $80 million. At the time, Base44’s model was lauded for its speed, accessibility, and growing enterprise adoption.
But the simplicity that made Base44 so appealing also became its Achilles’ heel. Wiz researchers discovered that private applications could be compromised by exploiting APIs exposed via public documentation tools like Swagger-UI. By identifying a single app’s ID, often visible in URLs or public files, and submitting it to Base44’s open registration endpoints, researchers were able to gain full access, even in environments where SSO was enabled.
Wiz disclosed the vulnerability to Wix and Base44 on July 9. According to both companies, the issue was fixed within 24 hours. Wix independently confirmed the fix and stated that no evidence of abuse was found during a comprehensive investigation.
"The security and privacy of our users are paramount. We are committed to maintaining the highest standards of security across all our products and platforms," Base44 said in a statement. "The recent acquisition of Base44 by Wix was driven in large part by Wix’s commitment to delivering trusted, robust technology backed by the company’s industry-leading infrastructure and security standards.
"Immediately upon being notified by the Wiz research team about a potential vulnerability, we conducted a thorough investigation and took swift, decisive action to remediate the issue in the Base44 platform. We’ve investigated and, so far, found no evidence that any customer was impacted by an attacker leveraging the vulnerability. Our investigation is ongoing as we continue to take this matter seriously.
"We continue to invest heavily in strengthening the security of all products and potential vulnerabilities are proactively managed. We remain committed to protecting our users and their data."
