- Researchers find Base44’s “vibe coding” platform contained security flaw
- This allowed threat actors to access data that should be private
- The bug was squashed within 24 hours with no signs of abuse
Vibe coding platform Base44 contained a major security vulnerability which could have allowed unauthorized users to access other people’s private applications, experts have warned.
The issue was discovered in early July 2025 by security pros from Wiz Research, who explained how exposed API endpoints on Base44’s platform allowed threat actors to create a verified account on private apps using nothing more than app_id, a piece of code that is publicly visible.
Normally, authentication systems ask for strong credentials, and means of identity verification, but Base44’s setup apparently lets anyone bypass those checks using just that one code. One could think of it like showing up to a locked office building, shouting “I’m here for app_id 12345”, and the doors would open – no questions asked.
Vibe coding
Attackers could easily grab an app_Id from public files, and use it to “register” through unsecured API routes, accessing apps that handle sensitive employee data and company communications.
The vulnerability could have affected enterprise apps handling HR and personally identifiable information (PII), internal chatbots and knowledge bases, as well as automation tools used in day-to-day operations.
Once Wiz discovered the flaw, it reached out to Wix, the company which owns Base44, who fixed it within a day.
Wix added it found no signs of abuse by threat actors. The researchers also identified vulnerable apps and reached out to some of the affected companies directly.
Vibe coding is a relatively new slang term for coding with the help of generative AI and through natural language rather than writing actual code. A developer will discuss their ideas and needs with the AI, which would come back with code. It has gained a lot of popularity lately, but news such as this one highlight that the method is not without its risks.
Since the background infrastructure is shared, there is always a risk of information leaking somewhere.
