Which versions of Mendix Studio Pro are affected by CVE-2026-7891?

CVE-2026-7891 is a critical authorization bypass in Mendix Studio Pro (through version 11.8.0 Beta) that automatically grants anonymous users access to application data without explicit permission…

Mendix Studio Pro CVE-2026-7891

Q: What is the CVSS score of CVE-2026-7891?

CVE-2026-7891 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-28463 CRITICAL

Insecure Inherited Permissions (CWE-277)

2026-05-07 DIVD

GHSA-rrf3-mgv7-cw6m

Information Disclosure

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

May 08, 2026 - 00:15 vuln.today

CVSS changed

May 07, 2026 - 22:22 NVD

9.3 (CRITICAL)

CVE Published

May 07, 2026 - 21:07 nvd

UNKNOWN (no severity yet)

CVE Published

May 07, 2026 - 21:07 nvd

CRITICAL 9.3

DescriptionNVD

The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are explicitly configured on that role. Anonymous users are required to make a Mendix Entity available publicly. All versions of Mendix Studio Pro up to 11.8.0 Beta silently make an Anonymous user role follow user inheritance rules, without mentioning this explicitly in the documentation.

AnalysisAI

Authorization bypass in Mendix Studio Pro through 11.8.0 Beta exposes all stored records to anonymous users due to undocumented role inheritance behavior. Applications built with affected Mendix versions silently grant anonymous users access to entity data despite no explicit permissions configured, allowing unauthenticated remote attackers to read and modify confidential records. …

RemediationAI

Within 24 hours: Identify all applications deployed using Mendix Studio Pro versions up to 11.8.0 Beta and classify by data sensitivity. Within 7 days: Implement network-level access controls (WAF rules, IP allowlisting) to restrict anonymous access to Mendix applications; contact Mendix support for interim guidance and confirmed safe versions. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-7891 vulnerability details – vuln.today

Back

Mendix Studio Pro CVE-2026-7891

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Mendix Studio Pro CVE-2026-7891

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code