AI Vibe Coding Platform Hacked

A severe authentication bypass vulnerability in Base44, a popular AI-powered vibe coding platform recently acquired by Wix, could have allowed attackers unauthorized access to private enterprise applications and sensitive corporate data.

The vulnerability, which was patched within 24 hours of disclosure, highlights growing security concerns in the rapidly expanding AI development ecosystem.

Key Takeaways
1. A critical flaw in Base44 lets anyone access private apps using public app IDs.
2. Poorly secured APIs exposed enterprise data to attack.
3. The issue was quickly fixed, but it highlights the need for better AI platform security.

Authentication Bypass Vulnerability

The vulnerability, discovered by Wiz Research, was straightforward to exploit, requiring only a non-secret app_id value to gain complete access to private applications. 

Attackers could leverage undocumented API endpoints /api/apps/{app_id}/auth/register and /api/apps/{app_id}/auth/verify-otp to create verified accounts for private applications, effectively bypassing all authentication controls, including Single Sign-On (SSO) protections.

The app_id values, appearing as random strings like 686d0a751a78bb2608517740, were easily discoverable as they’re hardcoded in application manifest paths at manifests/{app_id}/manifest.json. 

This meant any Base44 application’s identifier was immediately visible in URI paths, making the vulnerability trivial to exploit across the platform’s entire user base.

The security flaw was uncovered through reconnaissance of Base44’s external attack surface, where researchers identified publicly accessible Swagger-UI interfaces at app.base44.com and docs.base44.com. 

These interactive API documentation tools inadvertently exposed internal authentication endpoints without proper access controls.

By examining the “auth” APIs section within the Swagger documentation, researchers identified that registration endpoints lacked authentication requirements for private applications configured with SSO-only access. 

This architectural oversight allowed complete circumvention of the platform’s privacy settings through basic API manipulation.

Enterprise Applications at Risk 

The vulnerability’s impact extended beyond individual applications due to the vibe coding platforms’ shared infrastructure model, where all customer applications inherit the vendor’s security posture.

During the research period, multiple enterprise applications were confirmed vulnerable, including internal chatbots, knowledge bases, and HR operations systems containing personally identifiable information (PII).

The company confirmed no evidence of malicious exploitation during the vulnerable period and has since verified that proper validation now prevents unauthorized registration attempts on private applications.

As vibe coding platforms gain enterprise adoption for critical business functions, robust security foundations become essential for protecting sensitive corporate data in shared cloud environments.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches