CVE Catalog

CVE-2026-7891

Critical
Published: Translated: NVD NIST

Summary

The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. Anonymous users of the MyFirstModule can access all stored records, even though no access rights are explicitly configured on that role.

Risk Assessment

The organization is at risk of exposing sensitive data as anonymous users can access all records in the application. This may lead to privacy breaches and non-compliance with data protection regulations.

Recommendation

It is recommended to review and improve the authorization configuration in the application to restrict anonymous user access to data. Additionally, update Mendix Studio Pro to the latest version to benefit from security fixes.

Original NVD description (English source)

The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are explicitly configured on that role. Anonymous users are required to make a Mendix Entity available publicly. All versions of Mendix Studio Pro up to 11.8.0 Beta silently make an Anonymous user role follow user inheritance rules, without mentioning this explicitly in the documentation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS