DIVD-2026-00006 - Vulnerability found in DIVD App VerySecureApp
| Our reference | DIVD-2026-00006 |
| Case lead | Frank Breedijk |
| Author | Jeroen van der Ham-de Vos |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | N/A |
| Patch status | N/A |
| Workaround | see [DIVD Mendix News](https://www.divd.nl/mendix.html) |
| Status | Closed |
| Last modified | 07 May 2026 21:32 CEST |
Summary
The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are explicitly configured on that role. Anonymous users are required to make a Mendix Entity available publicly. All versions of Mendix Studio Pro up to 11.8.0 Beta silently make an Anonymous user role follow user inheritance rules, without mentioning this explicitly in the documentation.
What you can do
Don’t use the DIVD VerySecureApp, and consider whether you have similar Mendix created apps with Anonymous user roles without explicit permissions definitions.
What we are doing
DIVD is actively scanning and alerting similar Mendix created apps, and verifying data leaks before alerting. If you run a similar Mendix app, please have a look at our instructions.
Timeline
| Date | Description |
|---|---|
| 29 Apr 2026 | Vulnerabilities disclosed to DIVD. |
| 07 May 2025 | Case closed. |