Description
The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are explicitly configured on that role. Anonymous users are required to make a Mendix Entity available publicly. All versions of Mendix Studio Pro up to 11.8.0 Beta silently make an Anonymous user role follow user inheritance rules, without mentioning this explicitly in the documentation.
Published: 2026-05-07
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in VerySecureApp, built with Mendix Studio Pro 11.8.0 Beta, stems from an authorization misconfiguration that permits anonymous users of MyFirstModule to retrieve all stored records. No explicit access rights are set for the anonymous role, yet the application silently applies user inheritance rules, effectively granting unauthorized read privileges. This flaw directly leads to confidential data being exposed without the need for authentication.

Affected Systems

The affected product is VerySecureApp, released by DIVD. All iterations of the Mendix Studio Pro up to and including the 11.8.0 Beta version are impacted because they automatically cause an anonymous user role to inherit permissions that were not documented. Anonymous users can exploit this in the MyFirstModule component of the application.

Risk and Exploitability

The CVSS score of 9.3 indicates a very high severity vulnerability. The EPSS score is not available, so the exact exploitation probability is unknown, but the lack of controls suggests a high likelihood of exploitation if exposed. The vulnerability is not currently listed in the CISA KEV catalog. Likely the attack vector is a web request from an unauthenticated client to the MyFirstModule endpoints, from which the attacker can retrieve any records stored in the application.

Generated by OpenCVE AI on May 7, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for VerySecureApp that removes the accidental inheritance of permissions by the anonymous role.
  • Reconfigure the application to explicitly deny read access for the anonymous role on all sensitive entities, ensuring no access rights are implicitly granted.
  • Review Mendix Studio Pro documentation and audit custom modules to confirm that no other components inadvertently expose data to unauthenticated users.

Generated by OpenCVE AI on May 7, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Authorization Misconfiguration Allowing Anonymous Data Exposure in VerySecureApp

Thu, 07 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are explicitly configured on that role. Anonymous users are required to make a Mendix Entity available publicly. All versions of Mendix Studio Pro up to 11.8.0 Beta silently make an Anonymous user role follow user inheritance rules, without mentioning this explicitly in the documentation.
Weaknesses CWE-277
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: DIVD

Published:

Updated: 2026-05-07T21:07:22.206Z

Reserved: 2026-05-05T21:09:08.070Z

Link: CVE-2026-7891

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T22:16:37.070

Modified: 2026-05-07T22:16:37.070

Link: CVE-2026-7891

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T22:30:36Z

Weaknesses