CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Application Security·Artificial Intelligence

Flaw in Vibe Coding Platform Base44 Exposed Private Enterprise Applications

Base44 owner Wix quickly patched a critical authentication bypass vulnerability discovered by researchers at Wiz. The post Flaw in Vibe Coding Platform Base44 Exposed Private Enterprise Applications appeared first on SecurityWeek.

Developer security vulnerability

Researchers at cloud security giant Wiz have discovered a critical vulnerability in the vibe coding platform Base44 that could have been exploited to gain access to private applications and sensitive data belonging to enterprises that use it.

Base44, recently acquired by website-building giant Wix, is a vibe coding platform reportedly used by thousands of enterprises. Vibe coding enables users to generate code based on natural language prompts fed to AI tools. 

Wiz researchers recently analyzed Base44’s publicly accessible assets and discovered some API endpoints that could be abused to bypass authentication. 

They found that endpoints designed for registering a new user with an email address and password and verifying the user with a one-time password did not require authentication, enabling anyone to register for private applications as long as they had the target’s ‘app_id’ value.

Learn More About Securing AI at SecurityWeek’s AI Risk Summit – August 19-20, 2025 at the Ritz-Carlton, Half Moon Bay

The researchers quickly discovered that the required ‘app_id’ was hardcoded in each application’s URI and manifest.json file path. This enabled them to register new user accounts for applications they did not own. 

“During our research we managed to confirm authentication bypass was available across several enterprise applications that utilized the popular vibe coding platform for internal chatbots, knowledge bases, PII & HR operations – significant sensitive data that could have been leaked to unauthorized attackers,” Wiz explained

The company added, “What made this vulnerability particularly concerning was its simplicity – requiring only basic API knowledge to exploit. This low barrier to entry meant that attackers could systematically compromise multiple applications across the platform with minimal technical sophistication.”

Wix patched the vulnerability within 24 hours of being notified and its investigation showed that it had not been exploited in the wild prior to the fix being rolled out. Since the patch was applied on the server side, customers do not need to take any action.

Related: Should We Trust AI? Three Approaches to AI Fallibility

Related: Google Says AI Agent Thwarted Exploitation of Critical Vulnerability

Related: Google Gemini Tricked Into Showing Phishing Message Hidden in Email

Latest News

CYBERNEWSMEDIAPublisher