How did the Base44 authentication bypass vulnerability work?

The vulnerability was caused by misconfigured API endpoints that allowed attackers to bypass authentication by exploiting undocumented registration and email verification endpoints. It affected two specific endpoints: api/apps/{app_id}/auth/register for registering new users and api/apps/{app_id}/auth/verify-otp for verifying users with one-time passwords.

How could attackers exploit the Base44 vulnerability?

By providing only a non-secret app_id value to the registration and email verification endpoints, an attacker could create a verified account for private applications. The app_id values were easily discoverable as they were visible in application URIs and hardcoded in manifest paths at manifests/{app_id}/manifest.json.

Does the Base44 vulnerability have a CVE number?

No, the Base44 authentication bypass vulnerability does not have a CVE tracking number assigned to it. Despite being a critical security flaw affecting thousands of users and millions of applications, it remains without official CVE identification.

When was the Base44 vulnerability disclosed and fixed?

Wiz Research disclosed the vulnerability to Base44 on July 9, 2025, and a fix was deployed within 24 hours on July 10, 2025. This represents an exceptionally quick response time for such a critical security vulnerability.

What types of applications were vulnerable on Base44?

The vulnerability affected private enterprise applications built on the Base44 platform, including internal chatbots, knowledge bases, and applications handling personally identifiable information (PII) operations. Any application with discoverable app_id values was potentially vulnerable to unauthorized access.

What should organizations using Base44 do about this vulnerability?

Organizations using Base44 should review their application analytics for any unusual user visits and registrations that may have occurred before the fix was deployed on July 10, 2025. They should also monitor for any suspicious activity or unauthorized access to their private applications built on the platform.

How were app_id values discoverable in Base44 applications?

The app_id values required for exploitation were not secret and were easily discoverable through two methods: when navigating to any Base44 application, the app_id was immediately visible in the URI, and all applications had their app_ids hardcoded in their manifest path at manifests/{app_id}/manifest.json.

Advisory

Critical authentication bypass flaw reported in AI coding platform Base44

Q: What is the Base44 authentication bypass vulnerability?

Wiz Research disclosed a critical authentication bypass vulnerability in Base44, a popular AI-powered 'vibe coding' platform that allowed unauthorized access to private enterprise applications built by users across the platform. The vulnerability affected the platform's authentication mechanisms and allowed attackers to bypass all authentication controls, including Single Sign-On (SSO) protections.

Q: What is Base44?

Base44 is a popular AI-powered 'vibe coding' platform that allows users to build applications. The platform was reported to have over 20,000 users as of March 2025, with millions of applications created across the platform, including internal chatbots, knowledge bases, and applications handling personally identifiable information (PII).

Q: How did Wiz Research discover vulnerable Base44 applications?

Wiz Research identified vulnerable applications through simple DNS reconnaissance and URL scanners to identify domains and applications related to Base44. The researchers successfully confirmed that authentication bypass was available across multiple Base44 applications used for internal chatbots, knowledge bases, and PII operations.

Q: How many users were potentially affected by the Base44 breach?

The number of affected individuals has not been disclosed. However, the Base44 platform was reported to have over 20,000 users as of March 2025, with millions of applications created across the platform, suggesting the potential for widespread impact across enterprise users and their applications.

Q: Was there evidence of the Base44 vulnerability being exploited?

According to Base44, there was no evidence of past abuse and their investigation found no indication of compromise across the Base44 user base. However, the vulnerability was actively exploitable until it was patched on July 10, 2025.

published: July 29, 2025

Take action: You can't do much about the flaw, it's already patched. If your organization uses Base44 for applications, review them for any suspicious user registrations or unusual access patterns. If you are developing applications, NEVER code undocumented endpoints and API interfaces, especially without a proper authentication. Security by obscurity doesn't work.

Learn More

Wiz Research has disclosed a critical authentication bypass vulnerability in Base44, a popular AI-powered "vibe coding" platform that allowed unauthorized access to private enterprise applications built by users across the platform.

The security flaw has no CVE tracking number. It affected the Base44 platform's authentication mechanisms. The vulnerability was caused by misconfigured API endpoints that allowed attackers to bypass all authentication controls, including Single Sign-On (SSO) protections, by exploiting undocumented registration and email verification endpoints. The vulnerability affected two API endpoints: api/apps/{app_id}/auth/register for registering new users and api/apps/{app_id}/auth/verify-otp for verifying users with one-time passwords.

By providing only a non-secret app_id value to the registration and email verification endpoints, an attacker could have created a verified account for private applications on their platfom. The app_id values required for exploitation were not secret and were easily discoverable:

When navigating to any application developed on Base44, the app_id is immediately visible in the URI.
All applications having their app_ids hardcoded in their manifest path: manifests/{app_id}/manifest.json

Wiz Research identified vulnerable applications by simple DNS reconnaissance and URL scanners to identify domains and applications related to base44. The researchers successfully confirmed that authentication bypass was available across multiple base44 applications used for internal chatbots, knowledge bases, and PII operations.

The number of affected individuals has not been disclosed, though Base44 platform was reported to have over 20,000 users as of March 2025, with millions of applications created across the platform.

Wiz Research disclosed the vulnerability to both Base44 on July 9, 2025 and a fix was deployed within 24 hours on July 10, 2025. Wix claims that there was no evidence of past abuse and that the investigation found no indication of compromise across the Base44 user base.

Organizations using Base44 should review their application analytics for any unusual user visits and registrations.

Critical authentication bypass flaw reported in AI coding platform Base44

Read More
Critical VMware vulnerabilities enable Virtual Machine escape, host …
CISA warns of actively exploited old Linux kernel …
Kanboard patches critical authentication bypass and information disclosure …
Multiple Citrix products reported vulnerable to regreSSHion flaw
SAP April 2024 patch fixes several high severity …