CVE 9.3 CRITICAL

CVE-2026-7891_CVE-2026-7891

May 7, 2026 invoker category_cve

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A

Description

The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are explicitly configured on that role. Anonymous users are required to make a Mendix Entity available publicly. All versions of Mendix Studio Pro up to 11.8.0 Beta silently make an Anonymous user role follow user inheritance rules, without mentioning this explicitly in the documentation.

AI Analysis

Unintended data exposure due to authorization misconfiguration in VerySecureApp

Basic Information

ID CVE-2026-7891

Source DIVD

Published May 7, 2026 at 21:07

Affected Product

Vendor DIVD

Product VerySecureApp

Affected Versions DIVD VerySecureApp 0

CWE Classification

CWE-277

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor DIVD

Product VerySecureApp

Version up to 11.8.0 Beta

References

{
    "lastseen": "",
    "description": "The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are explicitly configured on that role. Anonymous users are required to make a Mendix Entity available publicly. All versions of Mendix Studio Pro up to 11.8.0 Beta silently make an Anonymous user role follow user inheritance rules, without mentioning this explicitly in the documentation.",
    "published": "2026-05-07T21:07:22.206Z",
    "modified": "2026-05-07T21:07:22.206Z",
    "type": "cve",
    "title": "CVE-2026-7891",
    "source": "DIVD",
    "references": "https://csirt.divd.nl/DIVD-2026-00006/\nhttps://www.divd.nl/mendix.html",
    "id": "CVE-2026-7891",
    "bulletinFamily": "",
    "cwe": [
        "CWE-277"
    ],
    "cvelist": null,
    "sourceData": "DIVD VerySecureApp 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "VerySecureApp",
    "version": "0",
    "vendor": "DIVD",
    "ai_description": "Unintended data exposure due to authorization misconfiguration in VerySecureApp",
    "ai_severity": "Critical",
    "ai_vendor": "DIVD",
    "ai_product": "VerySecureApp",
    "ai_version": "up to 11.8.0 Beta",
    "ai_score": 9.3
}

💭 Join the Security Discussion ❌ Cancel Reply