A critical security vulnerability in the popular AI-powered development platform Base44 allows authentication controls to be bypassed and access private enterprise applications, according to a new report from Wiz Research.
The patched flaws then used internal tools and vibe coding platforms for automation to expose sensitive corporate data to multiple organizations.
The rise of vibe coding platforms
Vibe coding represents an innovative approach to software development where users rely on artificial intelligence to generate functional applications through natural language prompts, eliminating the need for traditional programming skills.
Platforms like Base44, Loveable, and Bolt have democratized app development so that millions of users can create everything from personal tools to processing enterprise data that is sensitive to enterprise-grade systems.
After the rapid rise in AI development space, WIX was recently acquired for $80 million, Base44 hosts applications in a shared infrastructure that ensures all customers inherit the security attitude of their vendors.
This model creates a single critical point of failure where platform-level vulnerabilities can instantly undermine all applications built on a system.
The vulnerabilities discovered by Wiz Research were very easy to exploit.
The attacker only needed a non-secret app_id value to access undocumented registration and email verification endpoints, effectively bypassing all authentication controls, including single sign-on (SSO) protection.
The APP_ID values that appear as random strings are actually displayed in the application URIS and MANIFEST.JSON file paths, and are easy to discover, not truly secret.
Using these exposeable identifiers, an attacker can register a new user account for a private application via the Swagger-UI interface in Base44, receive a verification code in email, and gain full access to applications they don't own.
During the investigation, Wiz investigators confirmed that multiple enterprise applications were vulnerable, including internal chatbots, knowledge bases, and HR systems that contain personal identifiable information and other sensitive corporate data.
Upon discovering the vulnerability, Wiz Research quickly uncovered the issue through responsible disclosure practices.
Base44 and Wix quickly validated the report and implemented the fixes within 24 hours. Wix confirmed there was no evidence of past exploitation of wild vulnerability.
Security flaws highlight the broader risks inherent in the shared infrastructure model of AI-powered development platforms.
As these systems become increasingly integrated into government agencies and critical infrastructure, the potential impact of platform-level vulnerabilities increases exponentially.
This incident underscores the importance of robust security measures in the rapidly growing vibe coding ecosystem.
As businesses rely on critical business functions on these platforms, comprehensive security assessments and aggressive vulnerability management become essential to maintain the integrity of sensitive organizational data and ensuring the secure evolution of AI-powered development tools.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
