Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network access to all records gives C:H and (per vendor) I:H; AC:H because the app must be deployed with anonymous access enabled, a non-default configuration requirement; A:N as no availability impact.
Primary rating from Vendor (DIVD).
CVSS VectorVendor: DIVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are explicitly configured on that role. Anonymous users are required to make a Mendix Entity available publicly. All versions of Mendix Studio Pro up to 11.8.0 Beta silently make an Anonymous user role follow user inheritance rules, without mentioning this explicitly in the documentation.
AnalysisAI
Anonymous authorization bypass in Mendix Studio Pro (all versions up to 11.8.0 Beta) causes the Anonymous user role to silently follow standard user-inheritance rules, so an unauthenticated visitor can read every record in an entity even when no access rights are configured for that role. Demonstrated in DIVD's VerySecureApp (≤1.1.0), the flaw exposes entire datasets to anonymous callers whenever anonymous access is enabled to publish an entity publicly. There is no public exploit identified at time of analysis, EPSS is very low (0.04%), and it is not on CISA KEV, but SSVC rates technical impact as total and automatable.
Technical ContextAI
Mendix Studio Pro is Siemens' low-code application platform; apps built with it enforce data access through per-entity access rules bound to user roles. The root cause is CWE-277 (Insecure Inherited Permissions): the platform treats the Anonymous role like any authenticated role and applies user-role inheritance to it, granting inherited access rights that were never explicitly assigned. Because this inheritance behavior for the Anonymous role is undocumented, developers who leave a role's access rights blank assume 'no rights,' while the runtime actually grants inherited read (and per the CVSS vector, integrity) access. The CPE cpe:2.3:a:divd:verysecureapp identifies DIVD's proof-of-concept app, but the defect lives in the Mendix Studio Pro platform's authorization model rather than any single application.
RemediationAI
No vendor-released patched version of Mendix Studio Pro is independently confirmed from the available data; EUVD lists VerySecureApp as affected up to 1.1.0, implying a fix in a later app release, but no exact platform build number is provided - consult the DIVD advisory (https://csirt.divd.nl/DIVD-2026-00006/) and Siemens ProductCERT advisory (https://cert-portal.siemens.com/productcert/html/ssa-814963.html) for the authoritative fix. The immediate, actionable control is at the application layer: explicitly define access rules on every entity for the Anonymous user role and never rely on blank/unset rights to mean 'no access,' since the runtime inherits them; audit all entities reachable by the Anonymous role and set them to no access unless public exposure is intended. Where anonymous access is not required, disable anonymous/guest access entirely for the app, accepting that this forces authentication for all users. As a compensating control, place a review gate on any Mendix module that enables anonymous users so that inherited permissions are validated before publishing.
Same weakness CWE-277 – Insecure Inherited Permissions
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28463
GHSA-rrf3-mgv7-cw6m