Skip to main content

Mendix Studio Pro EUVDEUVD-2026-28463

| CVE-2026-7891 CRITICAL
Insecure Inherited Permissions (CWE-277)
2026-05-07 DIVD GHSA-rrf3-mgv7-cw6m
9.1
CVSS 4.0 · Vendor: DIVD
Share

Severity by source

Vendor (DIVD) PRIMARY
9.1 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.4 HIGH

Unauthenticated network access to all records gives C:H and (per vendor) I:H; AC:H because the app must be deployed with anonymous access enabled, a non-default configuration requirement; A:N as no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (DIVD).

CVSS VectorVendor: DIVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jul 14, 2026 - 10:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 10:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 10:22 NVD
9.3 (CRITICAL) 9.1 (CRITICAL)
Analysis Generated
May 08, 2026 - 00:15 vuln.today
CVSS changed
May 07, 2026 - 22:22 NVD
9.3 (CRITICAL)
CVE Published
May 07, 2026 - 21:07 nvd
UNKNOWN (no severity yet)
CVE Published
May 07, 2026 - 21:07 nvd
CRITICAL 9.3

DescriptionCVE.org

The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are explicitly configured on that role. Anonymous users are required to make a Mendix Entity available publicly. All versions of Mendix Studio Pro up to 11.8.0 Beta silently make an Anonymous user role follow user inheritance rules, without mentioning this explicitly in the documentation.

AnalysisAI

Anonymous authorization bypass in Mendix Studio Pro (all versions up to 11.8.0 Beta) causes the Anonymous user role to silently follow standard user-inheritance rules, so an unauthenticated visitor can read every record in an entity even when no access rights are configured for that role. Demonstrated in DIVD's VerySecureApp (≤1.1.0), the flaw exposes entire datasets to anonymous callers whenever anonymous access is enabled to publish an entity publicly. There is no public exploit identified at time of analysis, EPSS is very low (0.04%), and it is not on CISA KEV, but SSVC rates technical impact as total and automatable.

Technical ContextAI

Mendix Studio Pro is Siemens' low-code application platform; apps built with it enforce data access through per-entity access rules bound to user roles. The root cause is CWE-277 (Insecure Inherited Permissions): the platform treats the Anonymous role like any authenticated role and applies user-role inheritance to it, granting inherited access rights that were never explicitly assigned. Because this inheritance behavior for the Anonymous role is undocumented, developers who leave a role's access rights blank assume 'no rights,' while the runtime actually grants inherited read (and per the CVSS vector, integrity) access. The CPE cpe:2.3:a:divd:verysecureapp identifies DIVD's proof-of-concept app, but the defect lives in the Mendix Studio Pro platform's authorization model rather than any single application.

RemediationAI

No vendor-released patched version of Mendix Studio Pro is independently confirmed from the available data; EUVD lists VerySecureApp as affected up to 1.1.0, implying a fix in a later app release, but no exact platform build number is provided - consult the DIVD advisory (https://csirt.divd.nl/DIVD-2026-00006/) and Siemens ProductCERT advisory (https://cert-portal.siemens.com/productcert/html/ssa-814963.html) for the authoritative fix. The immediate, actionable control is at the application layer: explicitly define access rules on every entity for the Anonymous user role and never rely on blank/unset rights to mean 'no access,' since the runtime inherits them; audit all entities reachable by the Anonymous role and set them to no access unless public exposure is intended. Where anonymous access is not required, disable anonymous/guest access entirely for the app, accepting that this forces authentication for all users. As a compensating control, place a review gate on any Mendix module that enables anonymous users so that inherited permissions are validated before publishing.

Share

EUVD-2026-28463 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy