Overview

• Wiz Research discovered on July 9 that public API endpoints in Base44 could be abused to bypass authentication controls
• Attackers needed only a non-secret app_id to register and verify accounts on private applications, sidestepping Single Sign-On protections
• Wix deployed a server-side fix within 24 hours of disclosure and subsequent analysis found no signs of malicious use
• Customers are urged to review access logs from before the patch for any unusual activity, though no additional action is required
• The incident highlights the importance of robust authentication controls in AI-driven development platforms that share backend infrastructure