Security researchers have discovered a critical security vulnerability in the vibe coding platform Base44 that potentially could be exploited to gain access to private applications made using the tool. If exploited, a hacker can also gain access to any sensitive data from companies using the tool.
The vulnerability was discovered by security researchers at cloud security firm Wiz when analyzing Base44’s publicly available assets. The researchers found several exposed API endpoints that could be exploited to bypass authentication and access sensitive data, including source code for any apps made using the tool.
According to their report, they managed to confirm that “authentication bypass was available across several enterprise applications that utilized the popular vibe coding platform for internal chatbots, knowledge bases, PII & HR operations – significant sensitive data that could have been leaked to unauthorized attackers.”
Wiz’s team found five internet-facing subdomains, all hosting the main application, documentation, and marketing websites. Overall, successful exploitation of the vulnerability could have provided a remote hacker access to private applications hosted on Base44 servers without proper authorisation.
Base44’s parent company, Wix, patched the vulnerability within 24 hours of disclosure. It also investigated any potential leaks, confirming that the vulnerability wasn’t exploited in the wild before being patched. The fix was server-side, so Base44 customers don’t need to take any action on their end.
Following the patch, Wiz researchers independently verified that the fix addresses the vulnerability entirely. This means Base44 now correctly prevents authorised registration attempts to access private apps, and no additional steps are needed from organisations using the tool. However, any customers are advised to review their data for any usual user visits and registrations and should implement additional monitoring.
In the News: Fake apps are stealing data blackmailing users on Asian mobile networks
