DIVD-2026-00003 - Mendix Applications – Data Exposure due to Authorization Misconfiguration
| Our reference | DIVD-2026-00003 |
| Case lead | Jeroen Ellermeijer |
| Author | Marieke Rijken |
| Researcher(s) |
|
| CVE(s) |
|
| Product | Mendix Low-Code Platform |
| Versions | any |
| Recommendation | Review and correct authorization configuration in Mendix applications, including entity access rules, role mappings and XPath constraints, particularly those assigned to the Anonymous project role. |
| Workaround | n/a |
| Status | Open |
| Last modified | 05 Mar 2026 21:53 CET |
Summary
DIVD has started a new research effort into unintended data exposure in applications built with the Mendix low-code platform. The issue involves authorization misconfiguration within Mendix applications that may allow anonymous users or application users to access data sources with overly broad permissions due to improper access constraints.
It is important to note that this issue does not represent a vulnerability in the Mendix platform itself. The Mendix platform provides mechanisms to securely restrict access to application data through entity access rules, module and user roles, and XPath constraints. When these controls are not correctly configured by the application developer, users may unintentionally gain access to data that should be restricted.
Typical causes include:
- overly permissive entity access rules
- incorrect module role mappings
- missing or overly broad XPath constraints
- excessive permissions granted to the Anonymous user
- excessive rights assigned to newly registered or default user roles
- microflows or published REST services exposing data without sufficient authorization checks
This type of authorization issue is frequently encountered during security reviews and penetration tests of Mendix applications.
DIVD previously investigated a similar issue in 2022 (DIVD-2022-00019). Since then, the number of Mendix applications deployed on the internet has grown significantly. Due to this growth and recurring findings of misconfigured authorization, DIVD has initiated a new research effort to reassess the exposure of Mendix applications on the internet.
In some cases the research includes interacting with application functionality, such as account registration, to verify whether authorization rules are correctly enforced for application user roles.
Affected scope
This issue is not limited to a specific Mendix version or product. It may affect:
- Mendix Cloud hosted applications
- On-premise Mendix installations
- Internet-facing portals built on Mendix
Because the issue originates from application configuration rather than a platform vulnerability, it may occur in any Mendix application where authorization controls are not properly implemented.
How attackers can misuse this
No exploit is required to retrieve exposed data.
Mendix applications communicate with the Mendix Runtime Server using the Mendix Client API. Requests are typically processed through the /xas/ endpoint. Because the Mendix client runs on the end-user device, it must always be considered untrusted.
If runtime authorization rules allow access to certain entities or microflows, an attacker can retrieve this data using normal Mendix runtime requests.
This makes the issue:
- difficult to detect
- easy to automate
- scalable across multiple applications
During security assessments and previous research activities, exposed data included:
- names and contact information
- addresses and personal data
- internal customer records
- documents and images
- other potentially sensitive business data
Such exposure may lead to privacy violations, phishing attacks, fraud, reputational damage, or regulatory consequences such as GDPR/AVG breach notifications.
Root cause
Mendix applications consist of two primary components: the Mendix Client and the Mendix Runtime Server. The client runs in the end-user’s browser or mobile application and communicates with the runtime server using the Mendix Client API.
Data exposure typically occurs when authorization rules within the application are not correctly implemented.
- missing or incorrect entity access rules
- incorrect module role mappings
- insufficient or missing XPath constraints restricting data visibility
- overly permissive permissions assigned to the Anonymous project role
- custom logic that bypasses expected authorization checks
These issues are related to application configuration and development practices, not to a vulnerability in the Mendix platform itself.
What you can do
Organizations running Mendix applications are strongly advised to review their authorization configuration.
Recommended checks include:
- Review entity access rules for all entities
- Review module role mappings and user role assignments
- Validate XPath constraints and data visibility rules
- Review permissions granted to the Anonymous user
- Review permissions granted to application user roles
- Disable anonymous access if it is not strictly required
- Review published REST services and microflows for proper authorization enforcement
- Perform a security review or penetration test focused on authorization and data exposure
- Consider upgrading to supported Mendix versions such as Mendix 10 LTS or Mendix 11 MTS where applicable
If sensitive data is accessible:
- restrict access immediately
- review available logs for signs of misuse
- assess whether a data breach notification may be required
Tools
Organizations and security researchers can use publicly available tools to help review Mendix applications for potential configuration issues.
Menscan.io is a free online tool that helps identify potential configuration issues in Mendix applications. It operates as a middleware between the user and the Mendix application, highlighting common authorization and configuration mistakes during interaction with the application. Menscan does not store application data.
As an alternative, MendixHunter is an open-source tool that can be run locally. MendixHunter builds upon the Ciphix Mendix Dev Tools and extends it with additional functionality to assist researchers and security teams in analysing Mendix applications.
These tools can help organizations gain better visibility into potential authorization misconfigurations and support security reviews of Mendix applications.
What we are doing
DIVD is analysing publicly accessible Mendix applications to identify instances where authorization misconfiguration may expose data.
The Mendix instances included in this research were identified through publicly available sources. Because of this, the dataset used during this research is not exhaustive and may not include all Mendix deployments.
Organizations whose applications appear to expose data that is likely not intended to be publicly accessible may be notified with information about the observed behaviour. Organizations are encouraged to proactively review their Mendix applications for potential authorization misconfigurations.
Organizations that would like additional information about this research effort can contact the DIVD CSIRT team at DIVD-2026-00003@csirt.divd.nl.
Timeline
| Date | Description |
|---|---|
| 27 Oct 2025 | Initial research into authorization misconfigurations in Mendix applications started. |
| 02 Feb 2026 | DIVD performed a large-scale scan to identify publicly accessible Mendix applications potentially affected by this misconfiguration. |
| 13 Feb 2026 | Additional DIVD researchers joined the project to assist with reviewing findings and notifying affected organizations. |
| 27 Feb 2026 | DIVD published a public news article about the research. |
| 05 Mar 2026 | Casefile published. Notifications to affected organizations are ongoing. |
More information
- Previous DIVD Case - DIVD-2022-00019
- DIVD Article - Mendix applications: unintended data exposure due to authorization misconfiguration
- Handling Security Findings Related to Data Exposure
- Mendix Documentation - Securing Your Data