CVE-2026-7891
CRITICALDivd VerySecureApp < 1.1.0 - Insecure Inherited Permissions
Title source: ruleDescription
The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are explicitly configured on that role. Anonymous users are required to make a Mendix Entity available publicly. All versions of Mendix Studio Pro up to 11.8.0 Beta silently make an Anonymous user role follow user inheritance rules, without mentioning this explicitly in the documentation.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
https://csirt.divd.nl/DIVD-2026-00006/
Mitigation mitigation
https://www.divd.nl/mendix.html
Scores
CVSS v4
9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Details
CWE
CWE-277
Status
published
Products (1)
DIVD/VerySecureApp
< 1.1.0
Published
May 07, 2026
Tracked Since
May 08, 2026