CVE-2026-7891: DIVD VerySecureApp Leaks All Records to Anonymous Users

Executive Summary

CVE-2026-7891 describes an authorization bypass in the VerySecureApp, a demonstration application developed by the Dutch Institute for Vulnerability Disclosure (DIVD) using Mendix Studio Pro 11.8.0 Beta. The vulnerability allows any anonymous user of the default MyFirstModule to retrieve all stored records, despite no access rights being explicitly granted to the anonymous user role. DIVD disclosed the issue via their advisory DIVD-2026-00006, published on 2026-05-08. No CVSS score has been assigned as of publication.

Technical Analysis

According to the advisory published by DIVD's CSIRT, the VerySecureApp was built with Mendix Studio Pro version 11.8.0 Beta. The application's default configuration includes an anonymous user role for the MyFirstModule module. Critically, the role has no access rights explicitly configured — meaning no read, write, or delete permissions were assigned. However, the Mendix runtime, by default, grants anonymous users access to entities that are marked as publicly available when no access rules are explicitly defined for that role.

The advisory states: "The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are explicitly configured on that role." This behavior is consistent with Mendix's access-control model, where an empty access rule set for a role can be interpreted as "no restrictions" rather than "no access" depending on the entity's security configuration.

The affected entity is described only as a "Mendix Entity" in the advisory; the specific data schema or field names were not disclosed. The vulnerability is triggered simply by navigating to the application's public endpoint without any authentication. No special HTTP headers, tokens, or exploitation steps are required beyond accessing the application as an unauthenticated user.

DIVD noted that the VerySecureApp is a demonstration project, not a production system. However, the underlying misconfiguration pattern — failing to explicitly deny access for anonymous roles on entities that should be private — is a common pitfall in low-code platforms like Mendix, where default security settings may not align with developer expectations.

Mitigations & Recommendations

Organizations using Mendix Studio Pro (particularly version 11.8.0 Beta or earlier builds) should audit all anonymous user roles across their applications. The key mitigation is to explicitly configure access rules for every entity accessible via anonymous roles. In Mendix, developers should set access rights to "None" for entities that should not be publicly readable, rather than leaving the rules table empty.

DIVD recommends that developers using Mendix review the platform's documentation on anonymous user security and entity access rules. For the VerySecureApp specifically, DIVD has presumably restricted access or taken the application offline following disclosure. No patch is required for the Mendix platform itself — this is a configuration issue in the application layer.

Defenders should also consider network-level controls: if a Mendix application exposes anonymous endpoints, those endpoints should be reviewed regularly, and access logs should be monitored for unexpected data retrieval patterns (e.g., large numbers of records fetched by unauthenticated sessions).