Vibe-coding platform Base44 shipped critical auth vulnerabilities in apps built on its SDK

Jul 2025

Wiz researchers discovered critical authentication vulnerabilities in Base44, an AI-powered vibe-coding platform that lets non-developers build and deploy web apps. The auth logic bugs in Base44's SDK allowed account takeover across every app built and hosted on the platform, affecting all users of those apps until patches were rolled out.

Incident Details

Perpetrator:Developer

Severity:Facepalm

Blast Radius:Potential ATO across many sites until patches rolled out.

Tech Stack

Base44JWTOAuth 2.0Web SDK

References

The Hacker News: Widespread auth flaw in Base44 ↗Wiz research detail ↗Infosecurity Magazine: Critical auth flaw in Base44 vibe-coding platform ↗Nudge Security: Base44 vulnerability allowed unauthorized access to private apps ↗