IM
IronMonkey Threat Research

CVE-2026-7891 CRITICAL

Published: 2026-05-07 | Last Modified: 2026-07-14 | Status: Deferred

Description

A vulnerability has been identified in Mendix Runtime (All versions). Mendix documentation for access rules does not adequately describe the special behavior of the System.User entity, leaving developers without sufficient guidance to configure access rules securely. This documentation gap may lead application developers to unknowingly apply overly permissive access rules to System.User, resulting in unintended exposure of sensitive user data or privilege escalation within deployed Mendix applications.

CVSS Metrics

Base Score: 9.1 (CRITICAL)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack VectorNETWORK
Attack ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactHIGH
Integrity ImpactHIGH
Availability ImpactNONE

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 5.2

Base Score: 9.1 (CRITICAL)

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack VectorNETWORK
Attack ComplexityLOW
Attack RequirementsPRESENT
Privileges RequiredNONE
User InteractionNONE
Vulnerability ConfidentialityHIGH
Vulnerability IntegrityHIGH
Vulnerability AvailabilityNONE
Subsequent ConfidentialityNONE
Subsequent IntegrityNONE
Subsequent AvailabilityNONE

Source: [email protected]

Type: Secondary

Weaknesses

Source Type Description
[email protected] Primary
en CWE-277
Notification
Message here