CVE-2026-7891 | THREATINT

Description

The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are explicitly configured on that role. Anonymous users are required to make a Mendix Entity available publicly. All versions of Mendix Studio Pro up to 11.8.0 Beta silently make an Anonymous user role follow user inheritance rules, without mentioning this explicitly in the documentation.

PUBLISHED Reserved 2026-05-05 | Published 2026-05-07 | Updated 2026-05-08 | Assigner DIVD

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A

Problem types

CWE-277 Insecure inherited permissions

Product status

Default status

unaffected

Any version

affected

References

csirt.divd.nl/DIVD-2026-00006/ vendor-advisory

www.divd.nl/mendix.html mitigation

cve.org (CVE-2026-7891)

nvd.nist.gov (CVE-2026-7891)

Download JSON