CVE-2026-7891
Unauthorized Data Exposure in VerySecureApp via Mendix Studio Pro
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: Dutch Institute for Vulnerability Disclosure
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| divd | verysecureapp | * |
| mendix | mendix_studio_pro | to 11.8.0_beta (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-277 | A product defines a set of insecure permissions that are inherited by objects that are created by the program. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in VerySecureApp, created using Mendix Studio Pro 11.8.0 Beta, is due to an authorization misconfiguration. Specifically, anonymous users assigned the anonymous user role in the MyFirstModule can access all stored records, even though no explicit access rights are configured for that role. This happens because Mendix Studio Pro versions up to 11.8.0 Beta silently apply user inheritance rules to the anonymous user role without documenting this behavior, leading to unintended data exposure.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that anonymous user roles do not have unintended access rights. Specifically, review and correct the authorization configuration in the VerySecureApp, especially for the MyFirstModule, to prevent anonymous users from accessing all stored records.
Additionally, avoid making Mendix Entities publicly available to anonymous users unless explicitly intended and properly secured.
Consider upgrading Mendix Studio Pro to a version later than 11.8.0 Beta where this issue is addressed or apply any patches provided by the vendor.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized data exposure, allowing anonymous users to access all stored records in the affected module. Since no authentication or explicit permissions are required, sensitive or confidential information could be accessed by anyone, potentially leading to data breaches, loss of privacy, and damage to the organization's reputation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in VerySecureApp allows anonymous users to access all stored records due to an authorization misconfiguration. This unintended data exposure can lead to unauthorized access to sensitive personal or protected health information.
Such unauthorized data exposure can result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and health data.