- Researchers find base44’s “vibe -coding” platform contained security error
- This enabled threat actors to access data that should be private
- The belly was squeezed within 24 hours without signs of abuse
Vibe coding platform BASE44 contained a greater safety vulnerability that could have given unauthorized users access to other people’s private applications, experts have warned.
The problem was discovered in early July 2025 by Security Profes from Wiz Research, explaining how exposed API points on Base44’s platform allowed threat actors to create a verified account on private apps that use nothing but App_id, a piece of code that is publicly visible.
Usually, approval systems ask for strong credentials and identity verification, but BASE44S setup apparently lets someone bypass these controls using just one code. You could think of it like showing up to a locked office building and shouting “I’m here for the app_id 12345” and the doors would open – no questions asked.
Vibe coding
Attackers could easily grab an app_ID from public files and use it to “detect” through unsecured API routes and access apps that handle sensitive employee data and business communication.
The vulnerability could have affected company apps that handle HR and personally identifiable information (PII), internal chatbots and knowledge bases, as well as automation tools used in daily operations.
When Wiz discovered the error, it reached out to Wix, the company that owns Base44 that fixed it within a day.
Wix added that it found no sign of abuse of threat players. The researchers also identified vulnerable apps and reached some of the affected companies directly.
Vibe coding is a relatively new snake event for coding using generative AI and through natural language rather than writing actual code. A developer will discuss their ideas and needs with AI that would return with code. It has gained a lot of popularity recently, but news like this emphasizes that the method is not without its risks.
Since the background infrastructure is shared, there is always a risk of information that leaks somewhere.
Via Infosecurity Magazine
