Volerion logoVolerion
Volerion logoVolerion

Mendix SAML Module Account Hijacking Vulnerability

Vulnerability

A vulnerability exists in the Mendix SAML module for versions compatible with Mendix 9.24 (all versions prior to 3.6.21), Mendix 10.12 (all versions prior to 4.0.3), and Mendix 10.21 (all versions prior to 4.1.2). The issue arises because these versions inadequately enforce signature validation and binding checks, potentially allowing unauthenticated remote attackers to hijack accounts in certain single sign-on (SSO) configurations.

Impact

Exploitation of this vulnerability could lead to unauthorized account access and hijacking in specific SSO environments.

Remediation

Users are advised to update to Mendix SAML version 3.6.21 or later for Mendix 9.24 compatibility, and to version 4.0.3 or later for Mendix 10.12 and 10.21 compatibility. The latest versions can be downloaded from the Mendix Marketplace. Additionally, ensure that SSO configurations have 'UseEncryption' enabled.

Added: Aug 14, 2025, 4:01 PM
Updated: Aug 14, 2025, 4:01 PM

Vulnerability Rating

Custom Algorithm
spread
0.8
impact
5.0
exploitability
7.4
remediation
7.9
relevance
0.4
threat
0.0
urgency
2.9
incentive
5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.