IM
IronMonkey Threat Research
‹ Back to ICS Advisories

SSA-814963: Insecure Inherited Permission in Mendix

CRITICAL
CVSS 9.1
Date 2026-07-14T00:00:00+00:00
Source siemens-productcert
Published by Siemens ProductCERT

// Description

Mendix documentation for access rules does not adequately describe the special behavior of the System.User entity, leaving developers without sufficient guidance to configure access rules securely. This documentation gap may lead application developers to unknowingly apply overly permissive access rules to System.User, resulting in unintended exposure of sensitive user data or privilege escalation within deployed Mendix applications. A common misconfiguration identified is with the anonymous user role with a System.User entity to gain access to all stored records, even though no access rights are explicitly configured on that role. Siemens recommends Mendix developers to review their access rules based on updated documentation.

// Vulnerabilities (1)

CVE ID CVSS Score Severity Description
CVE-2026-7891 9.1 critical
CVE-2026-7891. Mendix documentation for access rules does not adequately describe the special behavior of the System.User entity, leaving developers without sufficient guidance to configure access rules securely. This documentation gap may lead application developers to unknowingly apply overly permissive access rules to System.User, resulting in unintended exposure of sensitive user data or privilege escalation within deployed Mendix applications.

// Remediations (2)

Patch: Review mendix access rules knowing that System.User has built-in platform-enforced access rules that
Review mendix access rules knowing that System.User has built-in platform-enforced access rules that cannot be overridden or restricted by access rules defined on a specialization. Check updated documentation for further details
Mitigation: Any security model relying solely on XPath constraints on a System.User specialization to restrict a
Any security model relying solely on XPath constraints on a System.User specialization to restrict access should be revised to enforce restrictions at the App Security role-management configuration level instead.

// References