Mendix Studio Pro VerySecureApp Authorization Misconfiguration Vulnerability Allowing Data Exposure

A vulnerability in the VerySecureApp created with Mendix Studio Pro, in versions up to and including 11.8.0 Beta, allows unauthorized data access due to improper authorization settings. The application permits anonymous users in the MyFirstModule to access all stored records, despite the absence of explicit permissions for that role. This issue arises because all Mendix entities must be made publicly available by anonymous users, and earlier versions of Mendix Studio Pro automatically apply user inheritance rules to the anonymous role without clear documentation. As a result, sensitive information can be accessed through standard Mendix runtime requests, creating a risk of GDPR violations, fraud, phishing, reputational harm, and potential data breach notifications.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive data, such as personal information, customer records, and documents, without the need for a technical exploit. This data exposure can result in significant privacy risks and regulatory compliance issues.

Remediation

Users are advised to review and adjust the authorization settings in their Mendix applications. This includes checking entity access rules, module role mappings, and the permissions assigned to anonymous and newly registered users. If sensitive data is exposed, access should be restricted immediately and logged for any signs of misuse.