The Mendix OIDC SSO module grants users in the Administrator role full read and write access to all authentication tokens. This privileged access allows an attacker who can modify the module code during the Mendix development process to abuse token privileges, potentially altering or forging tokens used for user authentication. The weakness is a classic privilege or access control issue (CWE‑266), which limits the ability of compromised administrators to misappropriate token credentials.

Affected products include Siemens Mendix OIDC SSO for Mendix 10.12 compatible, Siemens Mendix OIDC SSO for Mendix 9 compatible, Siemens Mendix OIDC SSO V4.2 (compatible with Mendix 10) and Siemens Mendix OIDC SSO V4.3 (compatible with Mendix 10). The vulnerability applies to all versions of these modules that are older than V4.0.1 for the 10.12 compatible releases, older than V3.3.1 for the 9 compatible releases, older than V4.2.1 for the V4.2 releases, and to all public releases of V4.3.

With a CVSS score of 2.1 and an EPSS score under 1%, the likelihood of exploitation is very low and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to require an authenticated user with Administrator or developer privileges who can modify the OIDC SSO module during the application life cycle; external network exploitation is unlikely based on the supplied description.