Full Report
New discovery underscores security implications of AI-powered development and the rise of Vibe Coding Platforms
Analysis Summary
# Vulnerability: Base44 Authentication Bypass via Undocumented Endpoints
## CVE Details
- CVE ID: Not Assigned (At the time of disclosure/summary)
- CVSS Score: Not explicitly rated, but implied High/Critical due to bypassing SSO and gaining access to private enterprise applications.
- CWE: CWE-287 (Improper Authentication) or CWE-863 (Missing or Incorrect Authorization)
## Affected Systems
- Products: Base44 (Vibe Coding Platform, recently acquired by Wix)
- Versions: Unspecified, but affected versions existed prior to July 9th, 2025.
- Configurations: Any private applications built by users on the platform.
## Vulnerability Description
A critical vulnerability existed in Base44's authentication mechanism, specifically via undocumented registration and email verification endpoints. An attacker could bypass all authentication controls, including Single Sign-On (SSO), by providing only a non-secret `app_id` value to these endpoints. Successful exploitation allowed an attacker to create a verified account associated with private applications, granting unauthorized and full access to those applications and the sensitive data they contained.
## Exploitation
- Status: Proof of Concept (PoC) available internally (developed by the researcher). Not reported as exploited in the wild prior to disclosure.
- Complexity: Low (Exploited by providing a non-secret `app_id` to undocumented endpoints).
- Attack Vector: Network
## Impact
- Confidentiality: High (Full access to private enterprise applications and sensitive data).
- Integrity: High (Potential to modify or delete data within private applications).
- Availability: Medium (Potential to disrupt service availability through unauthorized interaction).
## Remediation
### Patches
- The issue was fixed in less than 24 hours following initial disclosure on July 9th, 2025.
- Specific patch version is not provided, but the vulnerability was confirmed resolved by July 13th, 2025.
### Workarounds
- No specific workarounds were detailed, as the underlying issue was patched rapidly. Administrators likely relied on the vendor fix.
## Detection
- Indicators of Compromise: Unauthorized account creation or successful access to private applications from unexpected sources/credentials prior to July 9th, 2025.
- Detection methods and tools: Specific detection mechanisms were not published, but standard API monitoring for unusual registration or verification requests against undocumented endpoints would be relevant.
## References
- Wiz Research Blog: [https://www.wiz.io/blog/tag/ai] (Defanged: hxxps://www.wiz.io/blog/tag/ai)
- Wiz Research Blog on Vibe Coding Security: [https://www.wiz.io/blog/safer-vibe-coding-rules-files] (Defanged: hxxps://www.wiz.io/blog/safer-vibe-coding-rules-files)
- Wiz Research Academy: [https://www.wiz.io/academy/attack-surface] (Defanged: hxxps://www.wiz.io/academy/attack-surface)