Severe Vulnerability in AI Vibe Lets Attackers Access Private User Applications

A critical security vulnerability in the popular AI-powered development platform Base44 allowed unauthorized attackers to bypass authentication controls and gain access to private enterprise applications, according to a new report from Wiz Research.

The flaw, which has since been patched, exposed sensitive corporate data across multiple organizations using the vibe coding platform for internal tools and automation.

The Rise of Vibe Coding Platforms

Vibe coding represents a revolutionary approach to software development where users rely on artificial intelligence to generate functional applications through natural language prompts, eliminating the need for traditional programming skills.

Platforms like Base44, Loveable, and Bolt have democratized app development, enabling millions of users to create everything from personal tools to enterprise-grade systems handling sensitive corporate data.

Base44, which was recently acquired by Wix for $80 million following its rapid rise in the AI development space, hosts applications on shared infrastructure where all customers inherit the vendor’s security posture.

This model creates a critical single point of failure where platform-level vulnerabilities can instantly compromise every application built on the system.

The vulnerability discovered by Wiz Research was remarkably straightforward to exploit.

Attackers needed only a non-secret app_id value to access undocumented registration and email verification endpoints, effectively bypassing all authentication controls including Single Sign-On (SSO) protections.

The app_id values, which appear as random strings, are actually visible in application URIs and manifest.json file paths, making them easily discoverable rather than truly secret.

Using these publicly accessible identifiers, attackers could register new user accounts for private applications through Base44’s Swagger-UI interface, receive verification codes via email, and gain full access to applications they didn’t own.

During their research, Wiz investigators confirmed that multiple enterprise applications were vulnerable, including internal chatbots, knowledge bases, and HR systems containing personally identifiable information and other sensitive corporate data.

Upon discovering the vulnerability, Wiz Research immediately disclosed the issue through responsible disclosure practices.

Base44 and Wix promptly validated the report and implemented a fix within 24 hours. Wix confirmed there was no evidence of past exploitation of the vulnerability in the wild.

The security flaw highlights broader risks inherent in the shared infrastructure model of AI-powered development platforms.

As these systems become increasingly integrated into government agencies and critical infrastructure, the potential impact of platform-level vulnerabilities grows exponentially.

This incident underscores the importance of robust security measures in the rapidly expanding vibe coding ecosystem.

With enterprises increasingly relying on these platforms for critical business functions, comprehensive security assessments and proactive vulnerability management become essential for maintaining the integrity of sensitive organizational data and ensuring the secure evolution of AI-powered development tools.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!