A vulnerability has been identified in Mendix Runtime (All versions). Mendix documentation for access rules does not adequately describe the special behavior of the System.User entity, leaving developers without sufficient guidance to configure access rules securely. This documentation gap may lead application developers to unknowingly apply overly permissive access rules to System.User, resulting in unintended exposure of sensitive user data or privilege escalation within deployed Mendix applications.

Project Subscriptions

Vendors Products
Verysecureapp Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 17 Jul 2026 16:15:00 +0000

Type Values Removed Values Added
Title Authorization Misconfiguration Allowing Anonymous Data Exposure in VerySecureApp

Tue, 14 Jul 2026 10:00:00 +0000

Type Values Removed Values Added
Description The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are explicitly configured on that role. Anonymous users are required to make a Mendix Entity available publicly. All versions of Mendix Studio Pro up to 11.8.0 Beta silently make an Anonymous user role follow user inheritance rules, without mentioning this explicitly in the documentation. A vulnerability has been identified in Mendix Runtime (All versions). Mendix documentation for access rules does not adequately describe the special behavior of the System.User entity, leaving developers without sufficient guidance to configure access rules securely. This documentation gap may lead application developers to unknowingly apply overly permissive access rules to System.User, resulting in unintended exposure of sensitive user data or privilege escalation within deployed Mendix applications.
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A'}

cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Divd
Divd verysecureapp
Vendors & Products Divd
Divd verysecureapp

Fri, 08 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 07 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Authorization Misconfiguration Allowing Anonymous Data Exposure in VerySecureApp

Thu, 07 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are explicitly configured on that role. Anonymous users are required to make a Mendix Entity available publicly. All versions of Mendix Studio Pro up to 11.8.0 Beta silently make an Anonymous user role follow user inheritance rules, without mentioning this explicitly in the documentation.
Weaknesses CWE-277
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: DIVD

Published:

Updated: 2026-07-14T09:19:09.920Z

Reserved: 2026-05-05T21:09:08.070Z

Link: CVE-2026-7891

cve-icon Vulnrichment

Updated: 2026-05-08T13:45:36.897Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T22:16:37.070

Modified: 2026-06-17T11:03:04.917

Link: CVE-2026-7891

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-17T16:00:05Z

Weaknesses