Security Flaw Found in Wix’s Velo Coding Platform

A major security issue has been identified in Wix’s Velo (formerly Base44) coding platform, which left applications potentially open to unauthorised access.

The flaw, uncovered by cloud security firm Wiz, allowed attackers to bypass normal authentication procedures and access private business applications. The concern stemmed from how easily a supposedly hidden app ID could be uncovered and exploited, highlighting the seriousness of the vulnerability.

Exposed Sensitive Identification Number

A seemingly random identification number, known as an app_id, was found to be embedded within publicly accessible elements such as the application’s URL and the manifest.json file. This exposed a vulnerability whereby attackers could generate a verified account, even if user registration had been disabled. As a result, key access restrictions—including Single Sign-On (SSO), which many businesses rely on for secure login—could be completely bypassed.

The security team at Wiz pointed out how straightforward it was to locate these sensitive app_id values:

“When exploring any application built on the Base44 platform, the app_id is immediately visible in both the URL and the path to the manifest.json file. Every app has its app_id hardcoded in the structure: manifests/{app_id}/manifest.json.”

Creating A Rogue Account Was Relatively Trivial

Exploiting the vulnerability didn’t require any special access or advanced technical knowledge. Once a working app_id was discovered, an attacker could simply use publicly available tools like Swagger-UI to create a new account, receive a one-time password (OTP) by email, and complete the account verification without any real barriers.

After that, signing in via the application’s Single Sign-On (SSO) process granted full access to internal systems—even if the app was originally meant to be restricted to certain users or teams. This highlighted a major security weakness in the platform’s reliance on the app_id being secure and not manipulated or used from outside the intended environment.

Authentication Flaw Risked Exposure of Sensitive Data

A large number of the impacted applications had been developed using the widely used Base44 Vibe coding platform for internal purposes, including functions like HR tools, chatbots, and internal knowledge systems. These platforms often held personal identifiable information (PII) and were central to HR operations. The security flaw allowed attackers to sidestep identity verification measures and gain entry to private enterprise applications, putting confidential data at risk.

Wix Fixes Flaw Within 24 Hours

The cloud security firm identified the vulnerability through a careful review of publicly available data, searching for possible weaknesses. This process led to the discovery of exposed app_id numbers, which then allowed them to map out how unauthorised access could be gained. Following this, they alerted Wix, who acted swiftly to resolve the issue.

The security company later confirmed in its report that there are no signs the flaw was exploited. The vulnerability has now been fully resolved.

Why Did This Security Incident Happen?

Wix Asserts Commitment to Security Measures
According to the report, Wix stated that it takes a proactive approach when it comes to product security. The company shared that it continues to invest significantly in enhancing the protection of its platforms and actively manages any potential vulnerabilities. Wix also reaffirmed its dedication to safeguarding both users and their data.

Security Experts Describe Flaw as Easily Detectable
The research conducted by Wiz suggests the flaw was surprisingly easy to uncover. They used basic reconnaissance methods, such as identifying subdomains through both passive and active techniques—tools commonly available to anyone with basic cybersecurity knowledge.

The report noted the ease with which the vulnerability could be exploited, pointing out:
“What made this vulnerability particularly concerning was its simplicity – requiring only basic API knowledge to exploit. This low barrier to entry meant that attackers could systematically compromise multiple applications across the platform with minimal technical sophistication.”

This raises a valid concern: if the flaw was so simple to find and exploit, how did Wix’s supposedly proactive security approach not detect it earlier?

For example, if a third-party security audit had been carried out, why weren’t the exposed app_id values—clearly visible in the manifest.json file—picked up? Given how easily that data could be found, it’s reasonable to question whether Wix’s security practices were as thorough as claimed. The contrast between the simplicity of the flaw and the company’s stated vigilance suggests there may be gaps in their security strategy.

Takeaways:

Easily Identifiable and Exploitable Flaw
The security issue could be located and taken advantage of using standard tools and openly available online data—there was no need for specialist expertise or insider knowledge.

Workaround to Corporate Access Controls
Hackers were able to sidestep protective measures such as restricted user sign-ups and Single Sign-On (SSO) identity checks, gaining access to internal business applications that were meant to be secure.

Security Challenges in Rapid Development Platforms
According to Wiz, platforms like Vibe—designed for rapid application development—can create larger security threats across a wide range of apps if not properly safeguarded.

Questioning Security Claims
There appears to be a gap between Wix’s assurance of proactive security and the reality of how easily the flaw was found and exploited. This has raised doubts about how rigorous their security reviews actually are.

Broader Implications
Wiz uncovered a serious weakness in Wix’s Base44 vibe coding framework that allowed authentication to be bypassed, potentially granting access to confidential business systems. The firm believes this case underscores the dangers of overlooking security in fast-moving development environments, which could leave entire platforms vulnerable.