Detections
Analytics

CVE-2026-7891

critical

Description

The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are explicitly configured on that role. Anonymous users are required to make a Mendix Entity available publicly. All versions of Mendix Studio Pro up to 11.8.0 Beta silently make an Anonymous user role follow user inheritance rules, without mentioning this explicitly in the documentation.

References

https://www.divd.nl/mendix.html

https://csirt.divd.nl/DIVD-2026-00006/

Details

Source: Mitre, NVD

Published: 2026-05-07

Updated: 2026-05-07

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Severity: Medium

CVSS v4

Base Score: 9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Severity: Critical