Are Base44 apps still secure after the Wiz disclosure?

The patched issues (JWT-via-URL, open redirect, stored XSS, public API endpoints) are fixed at the platform level. But individual apps still have role misconfigurations, missing input validation, and rules that get overwritten on redeploy. An audit catches these.

Can I migrate my Base44 app to my own stack?

Yes. We use a combination of the community base44-to-supabase-sdk and manual rebuilds to move your data, schema, and workflows to Supabase + Next.js. From $600.

What happened in the February 2026 outage?

A platform-wide outage stranded thousands of Base44 apps. Apps without GitHub sync (paid-tier only) had no fallback. This is the core reason for migrating off proprietary builders.

Security

Base44 Security Review

Manual security audit by senior engineers. We trace every auth path, every secret, and every integration in your Base44 app and tell you what's broken.

Request a Security Review

From $300

Security issues we find in Base44 apps

Patterns documented in primary-source research. Most of these ship to production by default.

JWT passed to apps via URL

Wiz and Imperva disclosed that Base44 passed the user's main account JWT to apps via the URL, and apps could run arbitrary JS. Any app developer could harvest tokens for full account takeover.

Open redirect leaking access tokens

Confirmed by Imperva's research. Tokens leaked via redirect chains.

Stored XSS in app-generated content

Base44 didn't sanitize user-supplied HTML in entity fields, allowing stored cross-site scripting.

Client-side-only enforcement of premium features

Paid features could be unlocked by editing the client. Backend validation absent.

Entity schema files excluded from 'Freeze Files'

The AI agent overwrites manually-configured RLS rules during publish. Rules silently disappear after every redeploy.

Public API endpoints bypassing auth

Wiz researchers found enterprise app endpoints accessible without authentication.

Default 'everyone can view' on data types

Role permissions are misconfigured by default, persisting on data types that should be admin-only.

What a Base44 Security Review covers

Authentication and authorization audit (specific to Base44's patterns)

Secret exposure scan (env vars, client bundles, git history)

Database and data-access review (RLS, privacy rules, ACLs)

External integration security (Stripe, OAuth, file uploads)

Input validation and output encoding review

Severity-ranked written report with file:line citations

Async Q&A after delivery

Frequently asked questions

Are Base44 apps still secure after the Wiz disclosure?: The patched issues (JWT-via-URL, open redirect, stored XSS, public API endpoints) are fixed at the platform level. But individual apps still have role misconfigurations, missing input validation, and rules that get overwritten on redeploy. An audit catches these.
Can I migrate my Base44 app to my own stack?: Yes. We use a combination of the community base44-to-supabase-sdk and manual rebuilds to move your data, schema, and workflows to Supabase + Next.js. From $600.
What happened in the February 2026 outage?: A platform-wide outage stranded thousands of Base44 apps. Apps without GitHub sync (paid-tier only) had no fallback. This is the core reason for migrating off proprietary builders.

Find what's broken before users do.

Manual security review of your Base44 app. From $300.